Over a year to fix the vulnerability !
FFS MS get real and patch in a reasonable time frame rather than playing handbags at ten paces with Apple.
Microsoft plans to issue two emergency patches next week that fix vulnerabilities in the Internet Explorer browser and Visual Studio developer suite that allow attackers to remotely execute malware. The patches, which will be delivered on Tuesday, will be only the third time Microsoft has issued an out-of-band security patch …
"The underlying bug was discovered by researchers Ryan Smith and Alex Wheeler and reported to Microsoft in April or May of 2008. "
So has it really taken them over a year to fix it? Or os it that MS sat on their hands because there were no exploits in the wild and now suddenly there is an exploit so it needs a fix?
It seems to me (and I could be wrong) that MS only fix vulnerabilities when they absolutely have to and that the reason for this is to make their figures on vulnerabilities look good. As long as they don't acknowledge the vuln with a fix then it won't show up on their published list of vulnerabilties.
If William is admitting to this then we have to ask "just how bad is it?" I am unconvinced as to the depth of urgency as stated from a year ago it seems to have inveigled itselt into plenty of sites, some of which could be critical to our continued use of the internet. Will William ever get it right first time? Answers on a £50:00 note please.
Just a minor point of grammar - and this is something that our U.S. friends really need reminding about - you can't issue a Tuesday, even if you call it an emergency patches Tuesday.
Microsoft will be issuing emergency patches ON Tuesday. And if they write to me about it, they will be writing TO me, not writing me.
Grrr.
Microsoft are responsible for a *huge* amount of code covering OSes, drivers, apps, servers, web tech, etc. And we're all mature enough to realise that software - from any vendor - will rarely be perfect, and vendors rarely have enough staff to do everything at once. It therefore stands to reason that some degree of prioritisation is required when it comes to dealing with flaws identified in the codebase. Normally there is sufficient time to issue a fix before an exploit appears in the wild, but not always.
The question should therefore be, not "when were Microsoft notified of the flaw?", but rather "for how long has the flaw been actively exploited?" Active exploits are the ones to worry about, not potential exploits (and yes, I realise that potential exploits will become active exploits if left un-patched).
Furthermore, I firmly believe that Microsoft will have a much easier time once businesses and stupid people transition away from pre-Vista, pre-IE8 software. Vista, Win7 and IE8 may not be loved by everyone, but a hell of a lot of re-plumbing was done in the name of security.
And I say all this as a Mac user. In fact, I've been recommending Win7 to many of my friends where before I'd plead with them to consider OS X.
I feel dirty using the Gates-halo icon....
Obviously Internet Explorer is only the attack target but the source comes from the used development platform. I'm sure that we will see more patches and updates the next couple of weeks coming from major software vendors who have either used the same development platform or the same libraries to compile their software code. You can find more about my theory at my Risk Management blog at http://itriskspace.com/2009/07/25/1248487800000.html
-Andreas
http://ITRiskSpace.com