Microsoft plans to issue two emergency patches next week that fix vulnerabilities in the Internet Explorer browser and Visual Studio developer suite that allow attackers to remotely execute malware. The patches, which will be delivered on Tuesday, will be only the third time Microsoft has issued an out-of-band security patch in …
Over a year to fix the vulnerability !
FFS MS get real and patch in a reasonable time frame rather than playing handbags at ten paces with Apple.
My MS PC has so comprehensively b0rked itself overnight that it being in a state to actually *execute* malicious software would be a boon - at least it would be bloody well working...
Terms too deep for me
Microsoft's patches "will address an issue that can affect certain types of applications."
Righty-ho. Glad to have that cleared up. It puts my mind at ease, it does. It's nice to see that Reginald Bunthorne is once again gainfully employed.
No need to panic.....PANIC!
"The underlying bug was discovered by researchers Ryan Smith and Alex Wheeler and reported to Microsoft in April or May of 2008. "
So has it really taken them over a year to fix it? Or os it that MS sat on their hands because there were no exploits in the wild and now suddenly there is an exploit so it needs a fix?
It seems to me (and I could be wrong) that MS only fix vulnerabilities when they absolutely have to and that the reason for this is to make their figures on vulnerabilities look good. As long as they don't acknowledge the vuln with a fix then it won't show up on their published list of vulnerabilties.
Microsoft to issue emergency patches Tuesday
I rather liked the idea of Tuesday receiving emergency patches - a few more minutes in the day, and a little less rain, perhaps?
Or is this some arcane American conspiracy to remove the rightful word "on" from the title sentence?
If William is admitting to this then we have to ask "just how bad is it?" I am unconvinced as to the depth of urgency as stated from a year ago it seems to have inveigled itselt into plenty of sites, some of which could be critical to our continued use of the internet. Will William ever get it right first time? Answers on a £50:00 note please.
Bring back the ON
Just a minor point of grammar - and this is something that our U.S. friends really need reminding about - you can't issue a Tuesday, even if you call it an emergency patches Tuesday.
Microsoft will be issuing emergency patches ON Tuesday. And if they write to me about it, they will be writing TO me, not writing me.
Yet More Critical Patches
Windows seems to get so many patches that "prevent hackers from gaining control of your computer" that I'm not sure why this is news.
The Big Picture...
Microsoft are responsible for a *huge* amount of code covering OSes, drivers, apps, servers, web tech, etc. And we're all mature enough to realise that software - from any vendor - will rarely be perfect, and vendors rarely have enough staff to do everything at once. It therefore stands to reason that some degree of prioritisation is required when it comes to dealing with flaws identified in the codebase. Normally there is sufficient time to issue a fix before an exploit appears in the wild, but not always.
The question should therefore be, not "when were Microsoft notified of the flaw?", but rather "for how long has the flaw been actively exploited?" Active exploits are the ones to worry about, not potential exploits (and yes, I realise that potential exploits will become active exploits if left un-patched).
Furthermore, I firmly believe that Microsoft will have a much easier time once businesses and stupid people transition away from pre-Vista, pre-IE8 software. Vista, Win7 and IE8 may not be loved by everyone, but a hell of a lot of re-plumbing was done in the name of security.
And I say all this as a Mac user. In fact, I've been recommending Win7 to many of my friends where before I'd plead with them to consider OS X.
I feel dirty using the Gates-halo icon....
It's Black Hat week
Obviously Internet Explorer is only the attack target but the source comes from the used development platform. I'm sure that we will see more patches and updates the next couple of weeks coming from major software vendors who have either used the same development platform or the same libraries to compile their software code. You can find more about my theory at my Risk Management blog at http://itriskspace.com/2009/07/25/1248487800000.html
-well, where are they?
16:50 here in the UK and no sign of them.