It seems that MS lost the race again, or what?
http://tech.slashdot.org/article.pl?sid=08%2F12%2F18%2F1416225&from=rss
Not sure this is worth the post.
Of course Microsoft will always have the upper hand with “Automatic updates”. Surely almost everyone who buys a machine with a Microsoft operating system gets them by default (as they should).
Hi malware fighters,
What is a disadvantage is that users that installed the proposed work-arounds for the latest now patched IE hole, in some cases have to manually undo these mitigations:
http://msinfluentials.com/blogs/jesper/archive/2008/12/18/you-need-to-manually-undo-your-ms08-078-mitigations.aspx
As the majority of users use IE as by default (as it comes out of the box), Secunia PSI will warn them about third party vulnerable software, not about their Windows platform not being fully updated and patched. And in the cae they haven’t got the Secunia PSI tool an enormous amout of users use Windows without patches, without the latest Service Packs, until recent times even the older vulnerable versions of Sun Java weren’t cleansed from their computer. In keeping up with the threats we still have a long way to go as security community to warn the unaware. And those that can’t be bothered are beyond our reach, on the other hand they form the biggest threat out there for the security aware,
polonus
If you keep your operating system updated, then the patches for the browser will also be applied.
I have to agree that an auto check for any browser updates prior to using the browser has a definite advantage
over the current method used by Microsoft.
I have to agree that an auto check for any browser updates prior to using the browser has a definite advantage over the current method used by Microsoft.
That is not the way that Firefox works, and - as Bob notes - it is not the way IE works. Does anyone know of any browser that does work this way?
No? Tell us how Fx works.
Firefox waits until the browser has been up and running for a period of time (I would have to go an find the exact period) before it checks for updates.
At least when Microsoft chooses to push an emergency fix then it takes advantage of the fact that (in theory) your system will check for automatic updates on every system startup. However (as DavidR noted in another thread) their method of server congestion management may mean that you do not get the update immediately.
1.91% of all PCs are fully patched! :
http://secunia.com/blog/37
In Vista, the Windows Update is seperated from the browser. You don’t have to open IE to update it.
For Firefox, go to about:config and in the search type in “update”. I think one of the entries has a delay to check for updates in milliseconds. Use about:config with extreme caution, as always.
I believe that the Microsoft automatic updates works in Vista the same as for XP as I described above, it can take days before you get an update if there is congestion on the MS update servers.
Hi malware fighters,
It is absolutely vital that you install the latest out of band patch for IE, because malcreants also know some people do not patch immediately, and now the malware ActiveX can be started from inside an insiduous Word document, and while users think they are securely working on Fx or Flock, their unpatched IE browser is infected in the meantime by opening a malicious Word document: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123898&intsrc=hm_list
During the days of the work arounds and because IE has been deeply integrated into the OS, I prefer to open my documents using Open Office software (fully updated and patched version).
Integrating explorer deeply in the O.S. gives you faster, immediately available functionality and makes your IE browser start faster as a third party browser can (part of it starts at starting your OS), or you have to slim down the browser unto quite an extent (as they did with GoogleChrome) or use a shell browser, but it is/was not one of the brightest ideas security-wise,
polonus
The Secunia PSI tool is interesting having just tried it on this system. I will now apply the usual reasonable questioning logic to the statistics they put out which - on the face - of it are scary.
I fall into the 30 odd percent that have 1-5 unpatched programs (I had 2).
One of them was a program I installed ages ago to check out an issue reported in a thread here and did not get round to uninstalling and is never used (at least it reminded me to remove it). The other is Wireshark that is a point release out of date and that I use very infrequently.
So, the information reported by Secunia is indicative of issues but I would question whether it can be directly related to security threat levels.
Windows and IE were not designed with security or performance in mind. Only the number of features matters here.
But let us not forget that these products fund the entire security (and malware) business. If Windows were a real OS and IE a real browser, all these people would go out of business, and this forum would not exist. :o
Hi TheSpirit,
A bit harshly put here and as a generational remark, I would like to go about these issues a little bit more subtle, factual and into detail. But on the other hand it is true that sometimes a security issue is turned into a beneficial feature, MS has used these tactics before. That all sort of software can do things to the browser makes an integrated browser a particular vulnerability in case it is “broken”. It is patched now, but how many months do we have to wait until another skeleton is coming out of the MS coding closet, with closed software you never know, and it is/was not only MS that had these issues, other software have shown similar issues, like ZoneAlarm, and a couple of more examples.
So you can state that open software is far more buggy and full of holes, because everyone is validating the code, look over your shoulder and where the one person can code the other can uncode. In closed software you never have an idea what “ghost coders” in the past have done participating in the software’s development,
polonus
But let us not forget that these products fund the entire security (and malware) business
I used to work for a very large bank which uses other operating systems - from my experiences I know that your statement is not entirely applicable.
True. We should allow other vendors to join the club. 
By way of update to an earlier post:
Firefox waits until the browser has been up and running for a period of time (I would have to go an find the exact period) before it checks for updates.
It is 10 minutes.
Well it still hasn’t come down the pipe, despite the WU icon popping up twice today and still reporting Downloading 0% this for me is a regular issue taking days to get an auto update to finally complete.
I gave up and downloaded it manually from download.microsoft.com, it took 8 minutes on my poor download connection. Where the au.download.microsoftupdate.com has taken two days of multiple attempts to get nowhere.
I’d consider this post slightly biased :o