Linked by Thom Holwerda on Wed 12th Apr 2006 18:30 UTC
Microsoft Microsoft's dominant Internet Explorer browser has undergone a major security makeover to plug 10 vulnerabilities that puts millions at risk of PC takeover, address bar spoofing and information disclosure attacks. The monster IE update includes a fix for the 'createTextRange()' code execution flaw that caused zero-day drive-by downloads and a significant modification to the way the browser renders certain ActiveX controls. In all, Microsoft shipped five bulletins with patches for 14 different vulnerabilities in a range of Windows products. At the same time Microsoft has begun requesting that users upgrade their ME/98 machines because support ends July 11th, 2006.
Thread beginning with comment 114242
To read all comments associated with this story, please click here.
Sloppiest Programmers on the planet.....
by ZaNkY on Wed 12th Apr 2006 20:36 UTC
ZaNkY
Member since:
2005-10-18

I was reading an article on theinquirer.net. The author said how he had to download 200 Mb worth of patches on a clean WinXP install. Let me quote him ;)

"I mean, this is a fresh installation of XP following the death of a hard disk. Of course, Iíve had to download a good 200Mb of patches from Vole HQ. 200MB! Sheesh, these guys have got to be the sloppiest programmers on the planet..."

http://theinquirer.net/?article=30948

I don't really keep up with how many patches come out per year, but I do know that things could be coded a LOT better (on MS's end of course) if you release so many patches at once, week after week.

--ZaNkY

Reply Score: 1

TaterSalad Member since:
2005-07-06

That could be said for any OS. I'll take linux as an example here. Install FC4 from cd, then see if you need to do updates on it. I'm pretty sure you will. And FC4 came out after WinXP did.

But on the bright side of things, if your installing XP on corporate desktops you would only need to do the do the 200 meg download once then make a slipstream cd of XP with patches. Home users are a different story.

Reply Parent Score: 3

mmebane Member since:
2005-07-06

Why even 200 MB?

http://ryanvm.net/msfn/

Reply Parent Score: 1

anyweb Member since:
2005-07-06

so, for someone reinstalling windows xp pro (the article didnt mention whether it was xp gold, xp sp1, xp sp2 then you could assume that it was xp gold, and that the end user had to download all patches (and/or service packs) released since then.

big download ? yep, big deal.

Try installing a linux distro from the time that xp was released and do apt-get update && apt-get upgrade -y or yum -y update (or whatever your distro wants to update itself)

then check how many megs of updates are downloaded....


i've had similar issues with fresh installs of distros recently released, especially if it involves openoffice.

I am glad that Microsoft are patching their products, however i'd like to see them be more flexible on the timeframe of patch releases,

in other words, it would be great if they could release patches to 'critical' issues as soon as possible - instead of end users having to resort to third party patches to alleviate the issue.

cheers
anyweb

Reply Parent Score: 4

prismX Member since:
2005-08-19

There are several issues affecting immediate patch release. Patch quality and compatibility test is one of them. Windows is very sofisticated OS and it runs on the majority home and business workstations with millions of different settings and configurations. MS should provide patch able not only solve a specific problem, but also this patch should not break applications, specific configurations. It is especially important for business users. Of particular importance, not to break compatibilities too.
Another minor issue: sysadmin cannot update every time the a huge numbers of workstation, system administration requires scheduling, so patch release date is very good for business computing. And if some serious issue exists, sysadmin may tighten security, change some setting to prevent the security bug exploit, so good sysadmin is not so unequivocally dependent on the OS patching.

The fact that MS patches products shows that they work hard to improve their product, if somebody does not like this nobody convinces him to update Windows, it is personal problem of each one, but it is wonderful that for a short time Apple released 6 big updates for their fanfared Tiger in additional regular patches, but nobody even think to blame them.
People must understand that never mind bugs are identified or are not they are bugs. THe difference between Apple and MS is that Apple is praised for everything it is doing, MS is shamed for everything is done. All this and of course other aspects makes me think that most of people are not able for consecutive logical thinking, they are deeply dependent trade tricks and advertising compaigns...
It is very pity....

Reply Parent Score: 5

smitty Member since:
2005-10-13

Try installing a linux distro from the time that xp was released and do apt-get update && apt-get upgrade -y or yum -y update (or whatever your distro wants to update itself)

True, but to be fair you should really only update the kernel (not kernel sources), a few libraries, and DE (GNOME or KDE). Because that is all that XP provides (actually quite a bit less than KDE). Otherwise you should include updates for MS Office, Visual Studio, etc. into the Windows updates as well.

Reply Parent Score: 2

ma_d Member since:
2005-06-29

Ya know, there's a good reason why the apt update size and windows update size are completely incomparable:
1.) Apt just reinstalls the offending package. Microsoft reinstalls the offending file(s).
2.) Apt contains tons of feature upgrades, Microsoft typically makes those optional/recommended.

The really obnoxious thing about winupdate to me is redoing it, over and over. It'd be nice if they could at least fully automate it to where I start it. It runs. It reboots. It runs again (without me saying anything). It reboots, etc. Is there a program out there that does that which I should remember?

And for those who only have a WinXP cd, I think Microsoft will ship you an SP2 cd as a small fee these days.

Reply Parent Score: 1

lemme Member since:
2006-04-13

download sizes comparsion: hmm...

first note: can you feel the difference between security fix and updating to _new version_?

second note: can windows update (or microsoft update) help any particular user update, say, acrobat reader? yum and apt-get (or whatever app your whatever distro is using for updates) can.


microsoft patch release timeframe...yep, here i completely agree w/you

cheers
lemme

Reply Parent Score: 1

dylansmrjones Member since:
2005-10-02

Well, you only have to install the security fixes and critical bugfixes. All the small trivial point releases should not be counted. Only security fixes and critical bugfixes as these are the only equivalents to Microsofts updates.

And then it's a completely different matter when updating GNU/Linux. We are then talking about a few MBs, that's all.

Reply Parent Score: 1

kaiwai Member since:
2005-07-06

I don't really keep up with how many patches come out per year, but I do know that things could be coded a LOT better (on MS's end of course) if you release so many patches at once, week after week.

Oh pulease, Fedora Core 5 has been out for less than 2 weeks, and there is already over 100MB worth of updates already - so please, lets not try to declare that our respective shit don't stink.

The issue shouldn't be about the updates, but ensuring that the updates are released promptly with good documentation, and correct the problem as described in the errata.

The problem isn't the mistake, but whether you acknowledge it, fix it and then learn something from it.

Reply Parent Score: 1

dylansmrjones Member since:
2005-10-02

Well, those updates are NOT security fixes NOR critical bugfixes, but merely point releases.

Microsoft do not release point releases this way, so they should not be counted in.

Reply Parent Score: 1