Microsoft: No Patches This Month

[havnblast]

Microsoft announced on Tuesday that no security patches would be forthcoming this month.While several new flaws have been announced by researchers, Microsoft said that it is still investigating the issues and doesn't have a patch prepared for December."It is not that we are not doing anything, it's just that we don't have a patch ready in the pipeline," said Iain Mulholland, security program manager for Microsoft. He said that the company is putting heavy emphasis on increasing the quality of its patches, and that has had an effect on the release timing. In October, Microsoft committed to making its patch-release schedule more regular, by only publishing patches on the second Tuesday in each month. The software giant said it will be skipping that release this month.However, several vulnerabilities have been reported to Microsoft, including seven Internet Explorer flaws found in late November that Mulholland said are still being investigated. Source: Cnet News

Interesting...... all I got to say

[bjf123]

Just another reason why my upcoming laptop purchase will be an Apple iBook and not a Dell, Gateway, etc.

[redmaledeer]

Well, it's nice that they are improving the quality of their patches. I'm still digging out from the damage done by their Nov_11 patch.

[havnblast]

Maybe their patch should be disconnect your computer from the internet

[Guest LilBambi]

Sorry to hear that ... especially in light of the 5 new IE vulnerabilities that were listed at Security Focus.Glad I started using QuickFix. I started testing it out a couple days ago and it seems to be working well and not negatively impacting anything.Course if it did impact anything, I could turn it off temporarily, do what I need to do and turn it back on.Hope it comes in handy for some other folks. It's a beta but it's free and I have found it to be stable on Win98SE so far.

[havnblast]

Interesting program Fran - I just hate the thought of having another process running in the background tho - notice any resources being used in extreme or slow down of anything?

[Guest LilBambi]

I haven't noticed much of an impact Kelly....maybe a tiny bit here or there on extreme pages, but otherwise no...so far.I also have email open all the time, popup blocker, cookie wall, firewall, antivirus, and the standard, ATI settings icon, volume and taskmanager all sitting in the system tray along with it.And this particular computer is only a 366mhz Celeron with 128M RAM and an older 10G hard drive that's slow by comparison to those out today.Actually, I would have to say, I have had to reboot less frequently if that makes any sense at all. I have only rebooted it once since I installed the program. Hadn't thought about that till just now. That's not too bad. :teehee:Course everyone's mileage may vary.

[havnblast]

Well here goes nothing - installing

[Guest LilBambi]

Keeping fingers, toes and eyes crossed for ya havnblast ---BTW: I just rebooted so I could do my Clean9x to see how the new program fared after the cleanup. (especially after some things put stuff in the temp files ... think: NAV2004).Loaded great and no problems.Really liking it so far.

[Rons]

Maybe there aren't any more problems to fix! LOL

[havnblast]

that is the best one I heard all day Ron got Quickfix installed - crashed on me right off the bat, but seem ok now

[Guest LilBambi]

Still working great here. Weird that it crashed and right after install?I closed all programs before installing it and didn't have any problems.Would like to know if others have problems with it.What OS specifically? I am using Win98SE with all patches and updates.I think one thing I will make sure to do is disable it when I go to MS Update site for the last time on this Win98SE computer at the beginning of January.I normally disable/close antivirus and software firewall on the system anyway (still keep up the hardware internet firewall at all times) to make sure there are no problems with the updates. I will just add this to the list of things to disable/close.

[havnblast]

I installed it on a WinXP SP1 - it has not been rebooted and I had ZA running at same time along with many other things. After it crashed I just restarted and the program came up fine.

[Guest LilBambi]

Would definitely like to see how it does over time on XP SP1 (do you have Home or Pro)?

[Guest ThunderRiver]

Maybe their patch should be disconnect your computer from the internet 

Maybe you need to have a more constructive comment.

[Corrine]

Microsoft announced on Tuesday that no security patches would be forthcoming this month. . .Source: Cnet News

Mystery patch blots Microsoft's fix-free monthBy Robert LemosStaff Writer, CNET News.com Microsoft apparently doesn't know when it plans to patch.The company scrambled on Wednesday morning to figure out why a patch had been issued through its Windows Update service, when the software maker had declared on Tuesday that it would not issue any fixes in December. The patch, for a flaw announced during its monthly fix bulletin in November, updates FrontPage extensions. It plugs a security hole that could allow malicious code to be run on a person's PC.On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.The original flaw occurs in Microsoft's FrontPage extensions and affects Windows 2000, Windows XP and Office XP. The security hole was rated as critical for all systems, except for original Windows XP installations that hadn't been upgraded with FrontPage Extensions 2002.Microsoft has previously said that it would attempt to make its patching process more intuitive and easy to use. It moved to a fixed schedule of monthly patches to make the process more predictable for network and system administrators.

CNet "Mystery Patch"I received the Windows Update notice tonight. I decided not to download it since I don't have plans to use Front Page in the near future anyway.

[linuxdude32]

I was just about to say that Windows Update told me there was a patch available yesterday for XP which I downloaded and installed. It was the same one referred to in the CNET article.

[linuxdude32]

I received the Windows Update notice tonight.  I decided not to download it since I don't have plans to use Front Page in the near future anyway.

I don't use Frontpage either but the "extensions" are something that is supported by IE (and built into XP) so simply visiting a webpage with a trojaned extension can allow your computer to be taken control of.Microsoft Security Bulletin MS03-051

[havnblast]

Maybe their patch should be disconnect your computer from the internet

Maybe you need to have a more constructive comment.

thought it was constructive when MS leaves exploits open, but at least it sounds like they are not releasing a quick patch to break something else.Fran I have XP Pro btw

[Rons]

What SP2 for XP may contain:http://msdn.microsoft.com/security/default...rityinxpsp2.aspSure hope it works.

[Guest LilBambi]

Thanks havnblast ... if you get a chance in a few days, maybe you could post in a new Quik-Fix topic how you like it in XP Pro and if you have had any problems with Quik-Fix. I will do the same in the topic for Win98SE.

[Corrine]

I don't use Frontpage either but the "extensions" are something that is supported by IE (and built into XP) so simply visiting a webpage with a trojaned extension can allow your computer to be taken control of.

Ah, thanks. I'll check the bulletin later. Since I use Mozilla as my primary browser, I'll still hold off a couple of days.

[havnblast]

Users could be lulled into providing sensitive information through a Internet Explorer browser vulnerability that allows fake URLs to obscure the real domain.A new vulnerability discovered this week in Internet Explorer could allow for the spoofing of URLs in the Web browsing, potentially putting users' sensitive information at risk.Security researchers confirmed a vulnerability in Internet Explorer 6 that could let an attacker display a fake URL in the browser's address bar in an attempt to disguise the real domain, according to a security bulletin released on Tuesday by Danish security company Secunia Ltd.Using the security hole, an attacker could trick users into providing sensitive information or download malicious software by leading them to think that they are visiting a trusted site, the advisory said.Secunia rated the vulnerability as "moderately critical." A Microsoft spokesperson on Wednesday said that the company knows of no exploits of the reported hole or of any users being affected but said in a statement that it is "aggressively investigating the public reports."Microsoft may provide a fix through its monthly patch release cycle or a separate patch, depending on the outcome of the investigation, the spokesperson said. Earlier this week, however, Microsoft said that it would not release any security bulletins for the month of December.

Source at eWeekJust keeps on getting better doesn't it?

[Corrine]

Just keeps on getting better doesn't it?

Doesn't it though!

Microsoft: Extra patching a precautionBy Robert LemosStaff Writer, CNET News.com      A fix distributed to some Windows XP systems earlier this week is a preventative measure and not a new issue, Microsoft said Thursday.On Tuesday night, the software giant's WindowsUpdate and AutoUpdate systems applied a patch to many Windows XP systems to fix an issue that originally was patched in November. The patch surprised Microsoft customers--and even some of the software giant's employees--because the company previously had said that there would not be any fixes coming in December."Frankly, it was a lack of communication--human error," said Sean Sundwall, a Microsoft spokesman. "At no point was someone vulnerable because of this error."

Microsoft: Extra Patch a Precaution

[havnblast]

even MS can't keep themselves straight. I can see where this would of shocked a few people when they are saying no patches and than produce one

[redmaledeer]

Does anyone have an opinion about SmartFix? It is said to do a lot of what Qwik-Fix does.

[linuxdude32]

*snickers at the concept of Microsoft going a month without patches* That's like a car going a month without refueling.To be fair though, Linux has lots of patches released, too but few are as serious. I think releasing patches only once a month is a *huge* mistake on Microsoft's part. They should release patches as they occur and if system admins or users want to until the next month to patch their systems, that's their choice.

[Guest LilBambi]

A Microsoft spokesperson on Wednesday said that the company knows of no exploits of the reported hole or of any users being affected but said in a statement that it is "aggressively investigating the public reports."

Saying that the company knows of no exploits of the reported hole is supposed to make it so?And the exploit is a real problem. Most folks are not seeing what you are seeing ThunderRiver. It is more of a problem than you realize.

[Guest ThunderRiver]

Well, by design, anything before @ is meant to be user name and password.. but people got smart and used it to redirect URL to somewhere else. That is truly not a news. If it was a big vulnerability it would have burst out long before now. Someone just needs to pick the right time to make it bigger and more public.. Why do you think it is now showing up in December? Well, I see it as no coincidence. By all means, it is a design flaw with in-shell FTP browsing, not a vulnerabiilty that is severe enough to go that public. If we could survive in the past, we can survive it now. It is interesting enough that we are now likes ants running around on the hot pot.. well, who makes the pot boiling hot? it is news.. it is media.. it is our mind. Why dwell on this topic when we have more important things to do? It is YOUR responsibility to keep the system safe and clean besides Microsoft support. That responsilibity includes knowning where exactly you are browsing. Aren't you an Internet surfer? How can it be so if you could not tell where you are going?Emails embeded with hidden URL address is malicious, but shouldn't users be smart enough to know that companies like PayPal, Ebay will never ask you to verify your account information, which includes credit card information. No one wants to be called a stupid.. but stupid things happened. It is time that we ask ourselves if we could improve ourselves.. instead of pointing problems.. and boom.. straight to Microsoft. I hope I have coveyed my point. If not, oh well. take care. I am done with this specific thread.

[linuxdude32]

Have you actually tried out the exploit demo? After all, it is not that serious at all. Journalist likes to turn a snow flake into a big snow ball, and you bought it completely.

Are you kidding, Thundrbird? A bug that sends people to a site different than the one in the address bar isn't serious? As users we have a responsibility to do what we can to protect ourselves but that doesn't mean Microsoft can ignore problems in their software. How are people supposed to trust what software is telling them if it's lying to them? Microsoft has a responsibility in the nation's infrastructure to at least *try* to protect their customers.