Pah

So much for M$ strutting around the Internet pointing out other peoples' security flaws, and all that other Security Lifecycle malarkey. People in glass houses.... but then who really thought they had turned over some kind of security new leaf, eh?

only 2 years ?

*nix last one was 8 years :P

Here is your FAIL M$ fanboys

2 years - massive FAIL!!!! This is what using M$ and its proprietary poorly coded software gets you.

Did i mention FAIL!!. Thanks M$, just when I though that Linux kernal bug (fixed in a day or two of reporting) might hurt the Linux reputation (with the masses) M$ steps in and saves the day. Two years to fix a critical exploit .... Nuff Said!

can we have a hardhat icon

MS is gonna need it from the thus forth comming comments :)

zer0-day?

When did this place start hiring skiddies?

It's all a conspiracy

It wouldn't surprise me if these large companies had contractual agreements with national security agencies to reveal a number of known exploits of their software that they've discovered or been informed about, while delaying the fix until public exploitation, with considerable money in return. Compare that to the cost of fixing and testing the issue with an ever increasing number of products and suddenly there are 2 year waits for consumer patches.

At least they can't sell their buggy software now

With Microsoft unable to sell M$ Word surely that means that there are less people being exposed to this kind of thing?

Maybe a judge should pass a ruling banning them from selling any software - the world would be a much better place!

Surely though, it doesn't take two years to work its way through M$ before a fix is released - Apple managed it in 24 hours with the iPhone SMS exploit! Long live Steve!

<-- Stop, because Microsoft had to.

Zero-day?

A zero-day vulnerability is one which the application vendor is not aware of, which is being exploited.

If the application vendor knew about it for 2 years, but did not fix it, it is by definition NOT a zero-day vulnerability. The days start counting from when the vendor becomes aware of the vuln.

@ Kev K

Sorry Kev, That Linux (not Unix mind u) bug was fixed in a matter of days. Yes it has been around in the code for 8 years, but it was fixed almost immediately after it was reported. MS bug was around before 2 years, ago, the important factor here is that M$ took TWO YEARS AFTER it was reported to fix it. I'm sure there are still non-publicly disclosed bugs in any OS, but Linux has shown that they tend to have less bugs, the bugs are usually less damaging (requiring a user account to already be compromised like the 8 year one above) whereas the typical windows exploit is usually achieved with malformed code (buffer overflows) or simply visiting a web site, or playing a movie file.

@ Pink Duck ... interesting, but applying the most simple explanation; I think they are just that bad at what they do. Plus actual criminal risk if caught would be VERY high, and they get the same benefit by just being dumb.

Seriously---

Couldn't they have bundled a patch for this with some other updates at some point in the last two years? Is it that hard? Maybe not enough programmers to write a patch, with laying off a bunch of people while the company is still making money hand over fist?

@Kev K, Re: *nix last one was 8 years :P

Please show the advisory that was announced for this flaw eight years ago.

Oh, wait.

@Pink Duck

While we're getting the hardhat icon, can we also have a tinfoil hat icon?

@Kev

The Linux one might've existed for 8 years, but it wasn't found and reported until recently, and the got patched within a day or two. The MS one was found and reported over 2 years ago, and is just getting patched now. That's not quite the same.

Furthermore, in order to exploit the Linux one, you had to have access to the computer itself. For the MS one, it's a web component, so you only need access to the internet. Again, not quite the same.

@Zero-day?

"A zero-day vulnerability is one which the application vendor is not aware of, which is being exploited.

If the application vendor knew about it for 2 years, but did not fix it, it is by definition NOT a zero-day vulnerability. The days start counting from when the vendor becomes aware of the vuln."

I have a list of question regarding that claim:

1. Who decide what is the official and true meaning of a new expression? Are there some sort of official institute that keep a list or something? If so, could you be so kind as to direct me to it?

2. If unable to answer on the previous question: Are you able to present to me some sort of statistics or numbers that the common usage of the expression are in majority what you claim it means, and under no circumstances could have additional meaning?

3. Regardless of whether you are correct or not: Why do you feel a need to address this, and what is the purpose to it?

4. Do you feel that your comment adds value to the article and its comment section?

Mine is the one with AA (Anal Anonymous) membership card in the pocket. We like to pick on people picking on others.

Mozilla fail

How come the list of other vendors who have critical bugs outstanding over a year only included one pure open source outfit - Mozilla? I love and use firefox and all but the writing on the wall lately does not look good for its long term future. First the fact that the big open source exploiters (charged word but meh) Google and Apple (between two of them talking massive resources obviously) chose to use webkit (originally khtml engine but heavily modified) instead of gecko (firefox engine), as well as the longer times to patch critical bugs by mozilla might mean Mozilla won't be the dominant open browser long term. Oh well competition even in open source is good and with a quarter of the sheeptards still using IE6 (even M$ disgusted with the situation they directly caused) either is 100x times better in every way.

For Flying Pink Elephants....

"Meanwhile, you could just ignore all that. Just I'd advise not plotting world domination using your PC or networked devices.

Cheerio." .... By SoltanGris Posted Sunday 16th August 2009 03:19 GMT

Hello. I'd like to advise that nowadays plotting world domination without the use of the humble ubiquitous PC or networked devices is to Guarantee and Invite Failure and mounting future problems which will be targeted for resolution/binary blasting with PCs and networked devices.

This is what is possible today, and it was Registered two days ago too ...... "If you are in Denial and Disbelief of SMARTer Third Parties building with AI ProgramMING an Altogether Fundamentally Different New World Order with Cloud Control for Virtually and Vitally Important Operating Systems, do such Elemental First Party Failings Present and Guarantee Unconventional and Irregular Forces, Perfect Future Intelligence Stealth for Great Game TakeOvers and Big Picture MakeOvers." ..... but failed ITs Sensitive Subjective Peer Review Test for Comment Publication on El Reg, but IT is Vital Virile Viral Information for Any and All Quantum Communications Control Systems for the Virtualised Environment and ITs Cloudy GUI Power Distribution Layers/Levels/Desktops...... All Singing All Dancing Laptops.

And One Virtual Machine to Control and Power them All? Which would be a Fool Question and QuITe Preposterous Impossible Notion to Most Everybody but merely a Noble Nobel Work in Progress to the Next Higher Levels of Confusion and CompleXXXX Simplicity for a Few Master Pilots ......... Per Ardua ad MetaAstra.

Given the Massive Server Store of Public Flight Information on such Matters, deposited freely with the Register, it would not be something which can be denied and/or disputed.