Internet Explorer stars in monster October Patch Tuesday October is stacking up to be a bumper Patch Tuesday update with nine bulletins lined up for delivery — three rated critical. Cloud security firm Qualys estimates two of the lesser "important" bulletins are just as bad however, as they would also allow malicious code injection onto vulnerable systems. Top of the critical list …
Cardinal Ximénez: Google Chrome is the browser you can update without needing a reboot!
Cardinal Fang: Firefox as well.
Cardinal Ximénez: Yes, Google Chrome and Firefox can both be updated without a reboot!
Cardinal Biggles: Whay about Opera?
Cardinal Ximénez: Among the browsers that can be updated without a reboot, are Chrome, Firefox, Opera, Safari, Konquror...
Cardinal Fang: Don't forget to mention a fanatical devotion to the Pope, and not IE
Just because they're not used by the OS itself... the IE HTML rendering engine is used in many OS interfaces. There are in fact patches of IE that don't require a reboot - depends on what file they update.
Moreover Linux fans still are deceived by the fact it doens't ask for a reboot, but the file aren't actually updated until applications using them are closed and restarted. What is better - a false sense of ssecurity, or a message reminding you you need to reboot?
"What is better - a false sense of ssecurity, or a message reminding you you need to reboot?"
Well for a start it is better to simply restart a web browser (which is sometimes needed for other reasons) than to have to stop everything you are doing, saving sessions, etc, for that alone!
Also in the case of Linux, at least from my experience, if say Firefox is update it tells you that it needs restarting. And not the whole machine, which could be running other stuff or have other users logged in.
the file aren't actually updated until applications using them are closed and restarted
Files are updated when they're still open, executables still continue to run when their file is replaced. The applications that currently have it open sees the old version of the file. Normally, the service that's being updated is stopped/restarted during the update process if it's known to be problematic.
It's not a false sense of security, it's the way it was designed, and the way it works. I know it's difficult for those familiar with the way Windows has conditioned your thinking, but it's how a minimal-downtime and maintainable system should behave.
The only type of update that requires a reboot is a Kernel update - but these aren't that common, and you rarely need to use the new features, so you're free to pick them up on your next natural reboot. No nagging.
You should give this stuff a go, sometime... broaden your knowledge of other aspects of the IT industry. Learning's a good thing. (or, in case you're just a fanboy ranter... "know your enemy").
I've just read the linked article.
So let me get this straight... there are several "critical" vulnerabilities in all versions of IE, and it's currently being exploited in the wild - yet there are no details about it, and yet again we have to wait like idiots until Tuesday to be patched?
Where as our Linux friends get their systems patched before they even found out about it, and had full details to test whether of not they're still vulnerable?
>Where as our Linux friends get their systems patched before they even found out about it, and had full details to test whether of not they're still vulnerable?
That, and Linux servers usually lack a ui, so also ui web browser ... not that a browser update requires a reboot on Linux, ever, but hey ...
At the end of the day, our windows friends pay a premium for all these "features".
Thats hardly a fair comparison most windows users are part of the great unwashed masses, who dont know updates exist. Compared to Linux users which generally have to be a bit savvy. Where letting the linux community know about a patch is a call to arms. Conversely letting the windows community know how to exploit an issue is something they can use for years to come.
The main hope for IE users is at least that from IE10 on wards its self updates and can be considered "evergreen"
Saint Gerbil - "Compared to Linux users which generally have to be a bit savvy."
I use Ubuntu, and there's no savvy involved in patching a desktop PC. The software update icon appears in the launcher on the left side of the monitor. I click on it and it opens up and lists what updates it wants to do, I click on the "update" button (or whatever it's called), and it updates in the background while I carry on with my work. When it's done, it lets me know, and that's it. If a kernel update was included, then it will tell me that I need to reboot for that to take effect, but I can do that when I feel like it. Overall, it's much easier than MS-Windows.
What normal mainstream Linux distros do that is different form MS-Windows is that they don't wait a month (or more) to push out security fixes. They push them out ASAP, often within hours of discovering the problem. Sometimes they push out interim fixes while waiting for the final fix to be complete and tested, but what they don't do is hold back on security fixes to fit some arbitrary monthly release schedule. This is the real reason why there is no interest in anti-virus packages amongst Linux users - the root cause normally gets fixed faster than an anti-virus vendor would put out a signature to paper over the problem.
Since security fixes happen right away, they're in small batches and are therefore less of a headache to deal with (often just a few tens of kilobytes). Ubuntu batches up non-security bug fixes and improvements, so I don't get bombarded with non-security updates too frequently (once a week I think - this is configurable, although the defaults are fine so I've never changed them).
Since my whole desktop comes from a single provider (Ubuntu), I can let them do the work of testing for compatibility. If fix 'A' requires patching and re-compiling programs 'B', 'C', and 'D' to deal with side effects, they'll do that at the same time and I'll get those fixes at the same time as the security fix, all coming through the same package update system. Normally though, security updates are small and narrowly targeted.
Linux systems aren't just Windows with different desktop wallpaper. The mainstream distros are built from the ground up for remote management and updates in a distributed fashion.
I'll be sure to tell my 72-year old wife who is running Linux (SolydXK) on her desktop and laptop pc, that each time an update icon on her screen signals that an update is available, that she must "be a bit savvy" to deal with the "call to arms" patch alert. Because up to this point, she's simply clicked the icon, entered her system password, and let the patches proceed (with no reboot required, ever!)
I s'pose I'm in the same sad situation. I'm running SolydXK linux dual-boot with Windows 7, and I'm the one who set it all up for her. I'm 76, so that's probably why I forgot to advise her about the "savvy" and "call to arms" requirement. But it's been over a year and she's still keepin' on with keepin' on.
And I'm a bit pissed that once again, with Windows 7 and IE, I'll be on the MS Patch Tuesday treadmill yet again with no end in sight. Realizing that there is no way to know how many remaining "undiscovered" holes and flaws exist in the MS system, we (wife & I) restrict our internet activity to our respective Linux installs.
Our Linux friends did NOT get their systems patched before the bash exploits were in the wild. Some vendors still have not updated their appliances, storage servers, etc. And how right were they? We've patched and you're good to go! Oh wait. Patch again. You're good to go! Oh wait, let's try again.
I be stupid to defend Windows as being more secure than Linux but Linux isn't perfect either.
We're talking mainstream Linuxes here.. the same market Windows serves.
The details where out there so people could patch/disable/filter. If vendors haven't devised a way of patching their products in a timely manner, then it is the fault of the vendors, not "Linux" or bash.
It shouldn't be necessary to tell this to people who are into IT.
Not currently being exploited according to Microsoft.
1 - They're bound to say that (not that they've even said it is or not). They have a vested interest in playing it down.
2 - They don't know. No body knows if these bugs (spread across Microsoft's flagship products, and since IE6!!) have been discovered before the original reporter did... whenever that was.
3 - Those who originally discovered the bug will now be working over-time to milk as much as possible before the hole is fixed.
4 - Attackers might also have access to more servers at the moment due to the recent bash bug.
I'm quite confident it's already being exploited, but no one has any way of knowing because there are no details on the problem.
One major issue for any browser is they are "open" platforms to be programmed, and needs to support today a lot of very different ways of using them. Versatility doesn't usually go hand in hand with "minimizing the attack surface" - which usualy can be made shutting down features and reducing access to unknown sources.
To make a browser safe, tou need to build sounder code with more robust libraries and compilers. Look at how the October release of Chrome closed 159 security issues, 113 of which were related to bad memory usage...
Maybe you should give a look to:
http://googlechromereleases.blogspot.it/2014/10/stable-channel-update.html
"This update includes 159 security fixes"
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
The only difference is that MS Tuesday Updates are much more publicized...
you ought to be commending them for actively trying to find bugs and squash them with frequent updates. They (MS) are doing a better job than they have in years, whether you want to admit it or not.
Honestly, the vast majority of PC users have not got a clue about ANY software let alone browsers, El Reg readers are far and away a tiny minority of computer users.
If you have an recent OS that autoupdates, it is going to be safer than sticking with one that does not. Same goes for the browser.
The browser wars were over while AOL was still disc bombing your mailbox. IE won, get over it.
I await your downvotes
The browser wars were over while AOL was still disc bombing your mailbox. IE won, get over it.
I await your downvotes
So MS decides to support IE by dropping all patches for it in Windows XP, which is still in use worldwide on older hardware that cannot support the MS upgrade Juggernaut ... and before fanbois scream that MS is not obligated to support an older OS, how about their obligation to support the IE portion that was current as of a year ago?
Here's a downvote, and a small tube of Vaseline to ease the way ...
"you ought to be commending them for actively trying to find bugs and squash them with frequent updates"
Not at all. It's Q4 2014 for those who haven't being paying attention. The idle wankers of Microsoft have been supposedly aware of their massive security failings since at least IE6 back in 2002, and in reality probably long before that. In the period 2002-2014, Microsoft have awarded themselves total profits (net income) of a staggering $195.05 billion, and still the best the fuckers can offer the world is a collection of security flaw ridden bloatware, and a pile of unprofitable hardware & business follies (Zune, Xbox, Skype, Surface, Nokia phones), failed corporate adventures (aQuantive and others), and core software fails like Vista, Windows 8, and the whole WIndows Phone debacle.
The evidence is absolutely compelling that the Microsoft business appears to be every bit as dysfunctional as the Nokia phones business was in 2005-2011. Microsoft's byzantine bureaucracy has missed all the important trends of the last decade, yet at the same time ignored crucial hygiene factors (like security), choosing instead to focus on the unimportant, the extravagant, the distracting, the unachievable, the pointless and the destructive.
Far from commending Microsoft, any right thinking observer will condemn them.
Look, anyone who reads the comments here already knows about your rampant dislike for Microsoft.
How about trying to be objective instead of reactive? Microsofts "profits" and your comparison to Nokia don't have anything to do with this, your comments are part of your continued effort to push collectivism and you believe that any company that makes huge sums has to give it back to "the people".
Business doesn't work that way. If it does, it doesn't last for long.
All you ever do is criticize a company that is way beyond your control. I'm sure you have managed a company the size of Microsoft or you wouldn't be offering your suggestions. Oohhh... you haven't and you don't.
The flaws that are being fixed in IE are similar in every single browser out there because they use similar processes. Many have been coverered but new ones keep popping up. Microsoft keeps fixing them. They are doing that at a much faster rate than ever before. They are actually doing a pretty good job.
Why not say something positive for a change?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
