Microsoft is at a disadvantage in updating Internet Explorer.

[TheSpirit]

It seems that MS lost the race again, or what?

http://tech.slashdot.org/article.pl?sid=08%2F12%2F18%2F1416225&from=rss

[alanrf]

Not sure this is worth the post.

Of course Microsoft will always have the upper hand with "Automatic updates".  Surely almost everyone who buys a machine with a Microsoft operating system gets them by default (as they should).

[polonus]

Hi malware fighters,

What is a disadvantage is that users that installed the proposed work-arounds for the latest now patched IE hole, in  some cases have to manually undo these mitigations:
http://msinfluentials.com/blogs/jesper/archive/2008/12/18/you-need-to-manually-undo-your-ms08-078-mitigations.aspx
As the majority of users use IE as by default (as it comes out of the box), Secunia PSI will warn them about third party vulnerable software, not about their Windows platform not being fully updated and patched. And in the cae they haven't got the Secunia PSI tool an enormous amout of users use Windows without patches, without the latest Service Packs, until recent times even the older vulnerable versions of Sun Java weren't cleansed from their computer. In keeping up with the threats we still have a long way to go as security community to warn the unaware. And those that can't be bothered are beyond our reach, on the other hand they form the biggest threat out there for the security aware,

polonus

[bob3160]

If you keep your operating system updated, then the patches for the browser will also be applied.
I have to agree that an auto check for any browser updates prior to using the browser has a definite advantage
over the current method used by Microsoft.

[alanrf]

I have to agree that an auto check for any browser updates prior to using the browser has a definite advantage
over the current method used by Microsoft.

That is not the way that Firefox works, and - as Bob notes - it is not the way IE works.  Does anyone know of any browser that does work this way?

[TheSpirit]

That is not the way that Firefox works, and - as Bob notes - it is not the way IE works. 

No? Tell us how Fx works.

[alanrf]

Firefox waits until the browser has been up and running for a period of time (I would have to go an find the exact period) before it checks for updates.

[alanrf]

At least when Microsoft chooses to push an emergency fix then it takes advantage of the fact that (in theory) your system will check for automatic updates on every system startup.  However (as DavidR noted in another thread) their method of server congestion management may mean that you do not get the update immediately.

[YoKenny]

Hi malware fighters,

What is a disadvantage is that users that installed the proposed work-arounds for the latest now patched IE hole, in  some cases have to manually undo these mitigations:
http://msinfluentials.com/blogs/jesper/archive/2008/12/18/you-need-to-manually-undo-your-ms08-078-mitigations.aspx
As the majority of users use IE as by default (as it comes out of the box), Secunia PSI will warn them about third party vulnerable software, not about their Windows platform not being fully updated and patched. And in the cae they haven't got the Secunia PSI tool an enormous amout of users use Windows without patches, without the latest Service Packs, until recent times even the older vulnerable versions of Sun Java weren't cleansed from their computer. In keeping up with the threats we still have a long way to go as security community to warn the unaware. And those that can't be bothered are beyond our reach, on the other hand they form the biggest threat out there for the security aware,

polonus

1.91% of all PCs are fully patched! :
http://secunia.com/blog/37

[Go Pack Go]

I have to agree that an auto check for any browser updates prior to using the browser has a definite advantage
over the current method used by Microsoft.

That is not the way that Firefox works, and - as Bob notes - it is not the way IE works.  Does anyone know of any browser that does work this way?

In Vista, the Windows Update is seperated from the browser.  You don't have to open IE to update it.

For Firefox, go to about:config and in the search type in "update".  I think one of the entries has a delay to check for updates in milliseconds.  Use about:config with extreme caution, as always.

[alanrf]

I believe that the Microsoft automatic updates works in Vista the same as for XP as I described above, it can take days before you get an update if there is congestion on the MS update servers.

[polonus]

Hi malware fighters,

It is absolutely vital that you install the latest out of band patch for IE, because malcreants also know some people do not patch immediately, and now the malware ActiveX can be started from inside an insiduous Word document, and while users think they are securely working on Fx or Flock, their unpatched IE browser is infected in the meantime by opening a malicious Word document: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123898&intsrc=hm_list
During the days of the work arounds and because IE has been deeply integrated into the OS, I prefer to open my documents using Open Office software (fully updated and patched version).
Integrating explorer deeply in the O.S. gives you faster, immediately available functionality and makes your IE browser start faster as a third party browser can (part of it starts at starting your OS), or you have to slim down the browser unto quite an extent (as they did with GoogleChrome) or use a shell browser, but it is/was not one of the brightest ideas security-wise,

polonus

[alanrf]

The Secunia PSI tool is interesting having just tried it on this system.  I will now apply the usual reasonable questioning logic to the statistics they put out which - on the face - of it are scary.

I fall into the 30 odd percent that have 1-5 unpatched programs (I had 2).  

One of them was a program I installed ages ago to check out an issue reported in a thread here and did not get round to uninstalling and is never used (at least it reminded me to remove it).  The other is Wireshark that is a point release out of date and that I use very infrequently.

So, the information reported by Secunia is indicative of issues but I would question whether it can be directly related to security threat levels.  

[TheSpirit]

Integrating explorer deeply in the O.S. gives you faster, immediately available functionality and makes your IE browser start faster as a third party browser can (part of it starts at starting your OS), or you have to slim down the browser unto quite an extent (as they did with GoogleChrome) or use a shell browser, but it is/was not one of the brightest ideas security-wise,

polonus

Windows and IE were not designed with security or performance in mind. Only the number of features matters here.

But let us not forget that these products fund the entire security (and malware) business. If Windows were a real OS and IE a real browser, all these people would go out of business, and this forum would not exist.  

[polonus]

Hi TheSpirit,

A bit harshly put here and as a generational remark, I would like to go about these issues a little bit more subtle, factual and into detail. But on the other hand it is true that sometimes a security issue is turned into a beneficial feature, MS has used these tactics before. That all sort of software can do things to the browser makes an integrated browser a particular vulnerability in case it is "broken". It is patched now, but how many months do we have to wait until another skeleton is coming out of the MS coding closet, with closed software you never know, and it is/was not only MS that had these issues, other software have shown similar issues, like ZoneAlarm, and a couple of more examples.
So you can state that open software is far more buggy and full of holes, because everyone is validating the code, look over your shoulder and where the one person can code the other can uncode. In closed software you never have an idea what "ghost coders" in the past have done participating in the software's development,

polonus