dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
43
scross
join:2002-09-13
USA

1 recommendation

scross to 85160670

Member

to 85160670

Re: Microsoft to release IE security patch today, including one for Windows XP

I'm going to go ahead and point out a few issues here which should already be pretty obvious to those who pay attention to such things.

1. This is by no means a new security hole, but rather one that dates back to IE 6 - meaning that it's at least 12 YEARS OLD!
2. In typical Microsoft fashion, this problem not only affects their older software, but also ALL versions of their software produced since the originating time-frame, including their supposedly "start of the art" and "more secure than ever" products.
3. A bug like this which affects the BROWSER (which is just another application, mind you - or at least should be) shouldn't require a patch to the OPERATING SYSTEM, much less require a reboot. The fact that it does is a legacy of the monopolistic behavior of Microsoft a decade or so ago, when they embedded significant portions of IE inside the operating system. They did this in both a bid to become THE dominant internet browser (which they successfully did at the time, to the eternal dismay of everyone who's had to deal with IE ever since), and also to try making legal claims that IE was a core part of the OS and not a separate application; they even went so far as to claim that it was now INSEPARABLE. They were warned at the time not to play these kinds of games with the OS because the security implications involved, but they decided to do it anyway - just like they went ahead and did several other similar things that they were warned not to do.
4. Despite supposedly major security enhancements to more current Microsoft operating systems, they really only react to security holes once they become aware that someone is exploiting them. It's probably very safe to say that this hole has many, many more cousins out there like it, affecting ALL versions of the OS/browser, and that these will also continue only be resolved in a piecemeal fashion, if ever at all. In other words, those of you who think you are a lot safer because you are using a more current MS OS or browser are just kidding yourselves.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

said by scross:

A bug like this which affects the BROWSER (which is just another application, mind you - or at least should be) shouldn't require a patch to the OPERATING SYSTEM, much less require a reboot.

I'll disagree on the "reboot" part. The patch apparently updated a DLL. That cannot be done while the DLL is in use (a limitation of the NTFS file system). The patch would have at least required closing all applications using the DLL, and rebooting is an reasonable way of doing this.

Apart from that, I agree with most of your other points.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by nwrickert:

The patch apparently updated a DLL.

The patch updated MSHTML.DLL. Since Windows uses IE components internally (that is IE is integrated into the OS) a reboot was required even though IE itself may've been closed.

I think scross See Profile's point is that a browser whose components are not integrated into the OS wouldn't require a reboot.

Personally this is one reason I avoid IE. It is not just an application. It has tentacles far into the OS. IMO that's just asking for trouble.

PS: Applications other than IE can use it's components (that is API) to access the internet etc. That's a good reason to install IE patches even if you don't use the browser itself.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere to scross

Premium Member

to scross
said by scross:

.... 3. A bug like this which affects the BROWSER (which is just another application, mind you - or at least should be) shouldn't require a patch to the OPERATING SYSTEM, much less require a reboot.

The fact that it does is a legacy of the monopolistic behavior of Microsoft a decade or so ago, when they embedded significant portions of IE inside the operating system.

They did this in both a bid to become THE dominant internet browser (which they successfully did at the time, to the eternal dismay of everyone who's had to deal with IE ever since), and also to try making legal claims that IE was a core part of the OS and not a separate application; they even went so far as to claim that it was now INSEPARABLE.

They were warned at the time not to play these kinds of games with the OS because the security implications involved, but they decided to do it anyway - just like they went ahead and did several other similar things that they were warned not to do....

 
And a crafty fellow from Oz proved (with his app to tweak the Windows installer) that what you explained CAN be mitigated, first with Win 98, and later with other versions.

IIRC, his first offering was called Win 98 Lite.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

said by Davesnothere:

And a crafty fellow from Oz proved (with his app to tweak the Windows installer) that what you explained CAN be mitigated, first with Win 98, and later with other versions.

IIRC, his first offering was called Win 98 Lite.

That was good stuff.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

1 edit

Davesnothere

Premium Member

 
It was called 98 Lite, actually.

»www.google.ca/#newwindow ··· =98+lite

There apparently later was a version for XP, but I did not try that.

On 98 though, you could remove so much of IE and some intertwined OS components that some 3rd party apps which depended upon one or another of these would complain and/or not run.

I recall an already installed Norton product reacting in that manner.

This was not really a surprise to me at the time, as many apps of that era DID specify both a minimum version of Windows, AND of the IE browser, both of which needed to be installed and working, as a system requirement.
scross
join:2002-09-13
USA

scross to nwrickert

Member

to nwrickert
said by nwrickert:

I'll disagree on the "reboot" part.

There are systems out there which don't necessarily require a reboot for such things, although they may require a soft reset of some very limited type in order to ensure that everything relevant is now up to date. The "must reboot" mentality is a legacy of what Microsoft has wrought in the computing world.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

said by scross:

There are systems out there which don't necessarily require a reboot for such things

Agreed. I am using one.

Nevertheless, that has nothing to do with how MS integrated IE into the operating system. It mostly has to do with the file system design.
scross
join:2002-09-13
USA

scross

Member

said by nwrickert:

Nevertheless, that has nothing to do with how MS integrated IE into the operating system. It mostly has to do with the file system design.

Yes, FUNDAMENTAL design flaws/limitations, and all of that. It never ceases to amaze me how people try to claim that Microsoft is "enterprise class", when they (both MS and many of their customers) have shown very little indication over the years that they understand what "enterprise quality" actually is!
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to scross

Premium Member

to scross
said by scross:

3. A bug like this which affects the BROWSER (which is just another application, mind you - or at least should be) shouldn't require a patch to the OPERATING SYSTEM, much less require a reboot.

Where do you see actual evidence that this is an OS patch rather than a browser-related patch? The best I have found is that it is indeed just an update for IE related components.

If an application so chooses to use the native-provided client-side web functionality provided-by the default desktop windows install (and known to reliably exist) then that does not make it an OS issue.

For what it is worth I did not require a reboot on any of my systems (five in total) for this fix.

Also or what it is worth, on all current OSs when a shared library needs to be updated, if any part of that library is in use at the time of patch application a reboot is required. This is by far not unique to Windows.

I do not disagree that MS perhaps overstepped bounds by integrating IE so tightly into the OS, but it is not MS that forced so many third-party applications to also depend on IE components.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to scross

Premium Member

to scross
A reboot was NOT needed on Windows 8 Pro. So, this did just affect IE 10 and not Windows 8.
scross
join:2002-09-13
USA

scross

Member

said by Mele20:

A reboot was NOT needed on Windows 8 Pro. So, this did just affect IE 10 and not Windows 8.

A reboot was required for some of the older operating systems, at least, but depending on the situation perhaps this was more a matter of routine than absolute necessity.
scross

scross to Shady Bimmer

Member

to Shady Bimmer
said by Shady Bimmer:

Also or what it is worth, on all current OSs when a shared library needs to be updated, if any part of that library is in use at the time of patch application a reboot is required. This is by far not unique to Windows.

That is an overly broad statement. There are plenty of true enterprise-class systems out there (or at least there used to be) which have been around for a long time and which are designed to minimize outages of all types, since these generally can't be (and aren't) done lightly. Not that they aren't still sometimes required, mind you, but they are by design rare, and years may go by before something like a forced reboot is done.

Like I said, the "just reboot it" mentality is largely a Microsoft thing. I've had to fight that battle before - where a Microsoft server needed rebooting for whatever reason, and before you know it the local IT crew has decided to just reboot everything else in the room that might talk to that server, because they either couldn't be bothered to learn (or maybe just couldn't retain) the simple steps required to get everything talking again after the server came back up. In many cases, the steps required to get things talking again after rebooting the other equipment were even more involved than those they would have to go through without doing the reboot, but I quickly learned that it was generally faster to just go ahead and let them do whatever they wanted to rather than waste time talking about it, especially in a crunch-time situation.
said by Shady Bimmer:

I do not disagree that MS perhaps overstepped bounds by integrating IE so tightly into the OS, but it is not MS that forced so many third-party applications to also depend on IE components.

Are you talking about the same Microsoft that went around twisting arms and busting heads (as necessary) in order to get everyone to commit to almost exclusively using IE in the first place, and then made IE so quirky and non-standard that you really had no choice but to commit excessive resources to maintaining compatibility and inter-operability with it? Under those circumstances, I'm not so sure that a statement like "it is not MS that forced so many ..." holds much water.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to scross

Premium Member

to scross
said by scross:

A reboot was required for some of the older operating systems, at least, but depending on the situation perhaps this was more a matter of routine than absolute necessity

Microsoft did say that a reboot would be needed. So, after I downloaded it, I closed Firefox and Thunderbird thinking I was going to have to reboot after installing the patch. To my surprise, the installer said "successfully installed" and nothing about rebooting like I have seen with almost all Windows 8 patches (XP Pro never needed reboots as often as Windows 8 does). I thought then maybe it didn't really install. So, I started IE and About IE showed it successfully installed.
scross
join:2002-09-13
USA

scross

Member

said by Mele20:

Microsoft did say that a reboot would be needed.

I rebooted (eventually) because Microsoft said a reboot was required. But then I needed to reboot anyway because of an Avast program update, which I don't really understand the need for a reboot for, either.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Hmmm....maybe I should reboot then as I never did! I used to use Avast and I don't recall it ever needing a reboot.

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by Mele20:

Hmmm....maybe I should reboot then as I never did!

my win7 enterprise vm did not need a reboot.
my windows xp vm did.

i've not updated my win 8.1 pro vm yet.

q.