Microsoft confirmed on Wednesday that the company plans to push out a security fix for a critical security hole in Windows 7 next Tuesday.Microsoft officials posted an advanced security bulletin today that confirms Windows XP will have 6 critical holes patched, Windows Vista 5 critical holes and Windows 7 only one. Microsoft's critical rating is the highest out of all definitions used by the company, described as "a vulnerability whose exploitation could allow the propagation of an Internet worm without user action."
Microsoft will ship a total of 13 updates on Tuesday, eight of them marked as critical. Previously the company released a record of 12 updates in both February 2007 and October 2008. Next Tuesday will set a new record. This is Windows 7's first critical patch and initial information suggests Internet Explorer 8 is at fault. Neowin will be live from the New York launch of Windows 7 on October 22 where Microsoft CEO Steve Ballmer will release Windows 7 to the world.
It looks like a cumulative update for IE8
maybe it is this one: http://www.theinquirer.net/inquirer/news/1...sie-electricity
That has been around for months, while other vendors have fixed their browsers.
Word is that it's black
xD lol...
That has been around for months, while other vendors have fixed their browsers.
You really have to be pretty damn retarded to use Windows for mission critical applications, like e.g. power supply systems.
Could very well be this one, MS isn't very quick in patching IE holes.
That has been around for months, while other vendors have fixed their browsers.
You really have to be pretty damn retarded to use Windows for mission critical applications, like e.g. power supply systems.
Could very well be this one, MS isn't very quick in patching IE holes.
why not?
My scada system runs under windows xp without any trouble.
internet explorer......??
You sure are misinformed....
Did you know about something called 7 RTM or OEM 7 availability or Technet 7 availability..
Read just a little bit about RTM and you will know when and how it means that 7 was released 2 months ago...
Right about what exactly? All he did was state the obvious (I hear he's almost ranked captain now) with an apparent attitude, as if fixing an issue before launch is a bad thing.
Fixing any issue is a good thing, especially when the issues being fixed are done in a timely manner. Can't get much better than before retail release I would imagine.
so in other words the FULL VERSION of Windows 7 (legitly) was available to people on Aug 6th 2009 on Technet.
Yes, fixing an issue before launch is good.
However, having issues like this before launch is bad. What Tony is trying to say is that if they have issues like this before the hackers have had a good change to start exploiting it, it doesn't bode well for Windows 7 (or v6.1)
Now, it'd be a whole 'nother story if they were dropping patches left and right, especially at this point. All in all, I really feel Tony is just blowing this out of proportion.
Now, it'd be a whole 'nother story if they were dropping patches left and right, especially at this point. All in all, I really feel Tony is just blowing this out of proportion.
During this time microsoft issued not 1 but about 30 security and none security patched to OEM companies.
As opposed to what? Having them after? Realistically software has bugs, that MS fix them in a timely manner is a good thing no matter your view, so the expectation that W7 would be 'perfect' is ludicrous to be frank.
Lol, you beat me to it with the "illuminate" comment
Damn you both - taking my fun away!
so if IE, Safari and Chrome were affected, FF is the only browser unaffected? give me a f'n break
Mozilla patched the null-prefix exploit in August, as soon as it was discovered. It has taken MS nine weeks to issue a patch.
It helps when you can just patch it up and not worry about something other than your app breaking. MS takes so long because it tests things out. Plus they have to not just patch one version of IE, I figure it's a bit different between IE for XP and IE for Vista/7.
the exploit on firefox was worst than on IE. A single specially crafted certificated could be used to usurp the identity of any https server.
On IE you need to buy a certificate for each server identity you want to usurp, and since verisign and others CA are aware of the null byte flaw, they won't issue new certificates allowing to exploit this flaw.
Anyway, it takes a long time for microsoft to publish this kind of patch because many software rely on the crypto api, thus each change in this kind of system component must be tested several weeks with thousands of third party software. Don't think microsoft doesn't care about security, that's completely wrong. But they care more about compatibility, that's what their biggest customers expect from them. Many big business never update their software because they fear that update may break something.
IE7/8 on vista/7 do a great job at reducing the security risks thanks to it's sandbox, something that firefox still lacks... thus firefox users are more vulnerable to plugins flaws like flash and adobe reader 0day flaws than IE users. Of course, sandbox doesn't help with flaws like this one, but it helps to protect from memory corruption flaws that allow malware installation.
Furthermore, there are less flaws in IE than firefox these last few years, and firefox flaws are sometime fixed years after they have been reported on bugzilla, since mozilla cares about fixing bugs only when someone provides the proof that the bug is exploitable (if you don't believe me, look at a few security bulletins on http://www.mozilla.org/security/announce/ and look the matching entries on bugzilla)
... which, like Firefox, doesn't use CryptoAPI. According to a Slashdot comment, it uses OpenSSL. Not sure if the exploit does affect Opera despite this though.
On IE you need to buy a certificate for each server identity you want to usurp, and since verisign and others CA are aware of the null byte flaw, they won't issue new certificates allowing to exploit this flaw.
Anyway, it takes a long time for microsoft to publish this kind of patch because many software rely on the crypto api, thus each change in this kind of system component must be tested several weeks with thousands of third party software. Don't think microsoft doesn't care about security, that's completely wrong. But they care more about compatibility, that's what their biggest customers expect from them. Many big business never update their software because they fear that update may break something.
IE7/8 on vista/7 do a great job at reducing the security risks thanks to it's sandbox, something that firefox still lacks... thus firefox users are more vulnerable to plugins flaws like flash and adobe reader 0day flaws than IE users. Of course, sandbox doesn't help with flaws like this one, but it helps to protect from memory corruption flaws that allow malware installation.
Furthermore, there are less flaws in IE than firefox these last few years, and firefox flaws are sometime fixed years after they have been reported on bugzilla, since mozilla cares about fixing bugs only when someone provides the proof that the bug is exploitable (if you don't believe me, look at a few security bulletins on http://www.mozilla.org/security/announce/ and look the matching entries on bugzilla)
Thanks for the details, I hope more people read what you posted before they jump up and down and beat the "MS is so slow with patches!" drum.
Did you report anything? You know that no-detail article comments on neowin don't count right?
Thanks to your detailed bug report in this thread, and that the Windows Team is paying attention to these threads, MS will jump right to fixing your issues.
"We are just getting started!"
Uh, your computer doesn't magically get infected just by leaving IE open. Your machine was already infected by something you did previously.
exactly.
And I never heard about anyone getting infected by IE on a Vista/7 computer, even without applying security updates for IE. ASLR, DEP, and the sandbox (protected mode) prevents malwares from being installed by exploiting flaws, even if you never apply security updates for IE or its plugins (flash, adobe reader).
The IE sandbox has never been compromised (even at the cansecwest contest, where the rule is to read the hard drive, not to write! if the rule was to setup a malware in the user profile, IE would have won the contest these last 3 years since this is impossible without a flaw in windows kernel).
Sweet that Win 7 only needs 1 patch, after being out for quite a long time now, using a very old browser to boot.
Besides, I love downloading stuff.
Yes because a ton of updates are any IE8 compatibility view updates (which get pushed to IE8 on Vista, 2008 and XP...), the latest Malicious Removal Tool, Windows Defender updates (both these updates also pushed to older OS's) and this IE8 flaw? Yes, that's a ton of updates...wow..they should gottally recompile the RTM which then they'd need to restest all over again and push release back...sure thing..
I've only one complain so far and it is one that has been happening for the last 2-3 months is the ridiculous amount of updates. It's asking me to update definitions literally every two days, it's driving me insane. I'm sure they're doing all of this right now to patch up the holes before the release date, but still, can't they batch it together and send it over every other week? They are nothing significant or critical, so why annoy me non-stop about it? Anyone else here has noticed this?
I used to think XP and Vista were buggers, but this is like a joke; I'll contain my twitching everytime (read daily) it pops in the corner, ignore it a few days so that I may install multiples at one, then the second they are installed, SURPRISE! New definition updates the next morning!
Here's to hoping it won't be the same once the final OS is out.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.