Language Selection

English French German Italian Portuguese Spanish

M$ Initially Released Corrupted IE Patch

Filed under
Microsoft

The patch for Internet Explorer that Microsoft on Tuesday urged users to install as soon as possible was initially flawed, the company said Wednesday.

Several of the Internet Explorer updates initially provided via the Download Center were corrupted, Microsoft officials said, and couldn't be installed.

"The updates were corrupted, breaking the digital signatures," a member of the IE development team wrote on the browser's official blog on Tuesday. "We've identified the problem [and] removed the affected updates from the Download Center."

The broken signatures caused failures of both Systems Management Server (SMS) -- the enterprise management tool used to distribute new software and updates -- and individual Internet Explorer installations.

"If customers got the update from the Download Center in the first few hours after the 10 a.m. [PDT] release, then the update that was downloaded would not install," confirmed a Microsoft spokesperson Wednesday. "Microsoft immediately pulled the ability to get the updates from the Download Center, investigated the cause of the problem, and re-published the updates."

Only the update files posted on the Download Center -- which is where links in the individual security bulletins take users -- were affected, Microsoft said. "Automatic Update, Windows Update, Microsoft Update, and Windows Server Update Services (WSUS) were not affected," the company said in an explanation added to the MS05-038 bulletin Wednesday.

The glitch is an embarrassment for Microsoft. "I've never seen an update corrupted like this," said Mike Murray, the director of research at vulnerability management vendor nCircle. "We've had updates that were broken somehow or didn't work like they should, but not this."

Some users commenting on Microsoft's blog site took the company to task for the screw-up. Dominic White, a South African studying computer science at Rhodes University who has published papers on automated update technologies in general, and Microsoft's in particular, was one.

"What bothers me is the way this was described," wrote White. "'This only impacts users downloading via Download Center' [Microsoft said], but this is exactly what it would look like if someone had compromised the patches. Nobody seemed to think about the possibility of hacked patches and Microsoft didn’t have to say they weren’t hacked, just a bug.

Full Story.

More in Tux Machines

OSS Leftovers

SUSE Leftovers

  • openSUSE Tumbleweed – Review of the Week 2016/48
    After releasing daily snapshots without interruption for 17 days, Tumbleweed did slow down a bit during the last week. As already mentioned in my last review, 1124 had been canceled due to an issue with sddm installing strange branding configurations. And later on, we ‘broke’ our own staging setup and needed to bootstrap a few of them, making the throughput much lower than you were used to. So, we ended up with 3 snapshots since my last review: 1125, 1128 and 1129.
  • Highlights of YaST development sprint 28
    November is over, Santa Claus elves start to stress and the YaST team brings you one of the last reports of 2016. Let’s see what’s new in YaSTland.

OSS: AI and Machine Learning

Ubuntu and Derivatives

  • Canonical Sues Cloud Provider, Mint Beta, Devuan Tour
    Ubuntu parent-company, Canonical, today posted that they've been in a dispute with "a European cloud provider" over their use of their own homespun version of Ubuntu on their cloud servers. Their implementation disables even the most basic of security features and Canonical is worried something bad could happen and it'd reflect badly back on them. The post read, "The home-grown images of this provider disable fundamental security mechanisms and modify the system in ways that are unsupportable. They are likely to behave unpredictably on update in weirdly creative and mysterious ways." They said they've spent months trying to get the unnamed provider to use the standard Ubuntu as delivered to other commercial operations to no avail. Canonical feels they have no choice but to "take legal steps to remove these images." They're sure Red Hat and Microsoft wouldn't be treated like this.
  • Taking a stand against unofficial Ubuntu images
    Ubuntu is amazing on the cloud because we work with cloud providers to ensure crisp, consistent and secure images which you can auto-update safely. On every major cloud—AWS, Azure, Google, Rackspace, SoftLayer and many more—you can be confident that ‘Ubuntu’ is Ubuntu, with the same commitment to quality that you can expect when you install it yourself, and we can guarantee that to you because we require that clouds offer only certified Ubuntu images.
  • Canonical Takes Stand Against Unofficial Ubuntu Images, Reportedly Risky & Insecure
    Mark Shuttleworth has written a new blog post where he's outlining a dispute Canonical is having with a European cloud provider over a breach of contract and "publishing insecure, broken images of Ubuntu" for its cloud customers. With these Ubuntu Cloud unofficial images reportedly being buggy, users are complaining to Canonical/Ubuntu, assuming it's an upstream issue. Having enough of that, they are now preparing for legal steps to remove the unofficial Ubuntu images from the particular cloud provider.
  • Linux Mint 18.1 “Serena” MATE – BETA Release
  • Linux Mint 18.1 “Serena” Cinnamon – BETA Release