Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

IT Blogwatch

A Daily Digest of IT Blogs from Richi Jennings

Critical IE patch now available: go get it!

7 comments

TAGS:Internet Explorer, Microsoft, MS08-078, MSFT, patch
IT TOPICS:Desktop Applications, Internet, Security, Software, Windows & Microsoft

In Thursday's IT Blogwatch, Richi Jennings watches bloggers watch Microsoft's latest out-of-cycle, critical patch for Internet Explorer. Not to mention portability, 1980's style...

Previously in IT Blogwatch: Zero-day IE exploit targeting "missing" patch.

Gregg Keizer is a busy little bee:

As it promised [Tuesday], Microsoft Corp. today issued an emergency patch to plug a critical hole in Internet Explorer (IE) that attackers have been increasingly exploiting from hacked Web sites.

The patch, described in Microsoft's security bulletin MS08-078, fixes a flaw in the data-binding function of all available versions of the popular browser, including IE5.01, IE6, IE7 and IE8 Beta 2. Microsoft labeled the bug as "critical," the most serious threat ranking in its four-step scoring system.
...
According to both Microsoft and numerous security firms, attacks have been mounting, particularly since last weekend, when hackers began hijacking legitimate Web sites and launching exploits against unwary visitors. In fact, Microsoft said it monitored a "huge increase" in attacks last Saturday.

Julie Bort bought donuts:

The number of infected Web sites, many of them legitimate, has grown at "an alarming" rate since the vulnerability was released into the wild and people need to do nothing but visit an infected site with a vulnerable browser to be affected.
...
By Friday, Microsoft was aware users were becoming infected at a rate even faster than previous zero-day exploits. Originally porn sites seemed to be the carriers, but the number of legit sites causing infections was skyrocketing. Hackers were planting the exploit using well-known SQL injection techniques.
...
It is users' turn to protect themselves by installing this emergency patch and all all the others, and fast.

David Hunter gets pedagogic with the etymology: [Come again? -Ed.]

Since the bad guys were exploiting it before Microsoft knew it existed, the exploit is termed "zero day" because that is how much notice Microsoft got of the problem.

It is also termed an "drive-by" exploit since a user could pick up a malware infestation by merely using IE to browse any of thousands of compromised websites. In short, it was really nasty stuff.

Brian Krebs sounds worried:

Microsoft estimated Monday that one in every 500 Windows users had been exposed to sites that try to exploit the flaw. Additionally, it said the number of victims was increasing at a rate of 50 percent daily.
...
This is an urgent update. If you use Windows, apply this patch now.

Microsoft's Mike Reavey grabs the mic:

This update will be applied automatically to hundreds of millions of customers through automatic updates over the next few days. And, for our enterprise customers - with multiple systems within their networks – this update can be deployed through all standard security update management systems including, SCCM, SMS, WSUS, and Windows Update ... This update meets the quality, deployment and application compatibility criteria. It is a high-quality update, ready for broad release, and we encourage customers to test and deploy this update as quickly as possible.
...
We were able to share detailed information with our partners in the Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA), allowing protections to be created for over 24 different security partners' products. This is further validation of our commitment to ‘community based defense’ and means customers that ... weren’t even using Microsoft products, were also protected from known attacks.

Ed Oswald is impressed by Microsoft's speed:

Well, that was quick.
...
It’s pretty bad when security experts are telling your customers to switch. These are unbiased (for the most part) folks, and the typical computer user is going to take their advice seriously.

But Tiny Dancer... well, not so much:

Eight days is rather shamefully long to have to wait for a potentially devastating vulnerability to be fixed. This ain't Hanukkah, Microsoft, and you ain't no Maccabee.

And finally...

Portability, 1980's Style

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

Email this

Digg this

What People Are Saying

Add new comment

Microslop

Submitted by IT Student on December 18, 2008 - 8:24 A.M.

I have been working in the electronics-computer field for close to 30 years. Many of those spent working with unix/linux o/s mainly server based. I have not yet seen any more stable o/s for servers that unix/linux. I agree that microsoft sucks but they are a necessary evil. People have been duped and sucked in to using their software for years. To me they are like the "bully" on the playground taking other kids money. They build their O/S and other software and push it out quickly, down our throats, without proper testing (whoops I forgot they refer to that as a "beta" program). People should wake up and realize that microslop isn't the only one out there.

Reply | Report this comment

Please...

Submitted by IT Blogwatch on December 18, 2008 - 9:05 A.M.

                            __________________________
                   /|  /|  |                          |
                   ||__||  |       Please don't       |
                  /   O O\__           feed           |
                 /          \       the trolls        |
                /      \     \                        |
               /   _    \     \ ----------------------
              /    |\____\     \     ||               
             /     | | | |\____/     ||               
            /       \|_|_|/   |    __||               
           /  /  \            |____| ||               
          /   |   | /|        |      --|             
          |   |   |//         |____  --|             
   * _    |  |_|_|_|          |     \-/               
*-- _--\ _ \     //           |                       
  /  _     \\ _ //   |        /                       
*  /   \_ /- | -     |       |                       
  *      ___ c_c_c_C/ \C_c_c_c____________

Reply | Report this comment

What are the odds?

Submitted by SkateNY on December 18, 2008 - 6:52 A.M.

Let's face it. Microsoft software sucks. The OS sucks, so why wouldn't their Web browser suck? Microsofties have spent their lives and, in many cases, their savings, defending a fatally flawed operating system and a Web broswer that allows anyone with a high school education to access their personal files and information. How stupid do you want to be today?

All this crap about "Apple fanboys" and "Linux tree-huggers" is meaningless in the face of ongoing assaults on an operating system devised in hell. I don't care what OS you use; just please stop defending software that is not only flawed, but which invites intruders to exploit every -- and there are SO MANY -- deficits in your OS. Please. Stop telling me how stable Windows and IE are. You're making me want to vomit.

Reply | Report this comment

Have some perspective

Submitted by IT Blogwatch on December 18, 2008 - 9:03 A.M.

Have some perspective.

In the past few days, we've seen critical security patches for Firefox, Opera, and Mac OS X. We might have seen them for Chrome, too, if Google didn't update it silently.

Reply | Report this comment

IE Critical patch

Submitted by Anonymous on December 18, 2008 - 6:37 A.M.

Thanks for the news.

How about a prominent link to download the patch.

Reply | Report this comment

You're welcome

Submitted by IT Blogwatch on December 18, 2008 - 9:00 A.M.

See Mike Reavey's post for details of the many ways you can get the patch.

Alternatively, there's always the security bulletin, but that can confuse some people, so I'm loathe to link to it in the main post.

Reply | Report this comment

How about a link to Mike Reavey's article then?

Submitted by Scott Wright on December 20, 2008 - 6:47 A.M.

Sorry, I couldn't help it. I'll find it. Glad I re-checked my sources after creating my podcast. At the time I started working on it, the patch wasn't available yet.

Reply | Report this comment

Zero-day IE exploit targeting "missing" patch

Bad news: we're stuck with IE6 until 2014

TWENTY-THREE critical bugs patched this month. Wow.

One billion Firefoxes

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Applying Remote Support Technology for Maximum Impact
Download Now!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

IBM Migration Factory: A smooth transition to new technology
Find out how to migrate your applications smoothly over to IBM.

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

Natural User Interface for Enterprise Applications
Download this Complimentary White Paper! Provided by Workday.

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

IT Blogwatch's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Critical IE patch now available: go get it!

What People Are Saying

Microslop

Please...

What are the odds?

Have some perspective

IE Critical patch

You're welcome

How about a link to Mike Reavey's article then?

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

IT Blogwatch's Archive

IT Topics

Sponsored Links