back to article Microsoft knew of nasty IE bug a year before attacks

Microsoft was aware of a critical vulnerability in an Internet Explorer component at least 12 months before attackers started targeting it in lethal exploits that take full control of end-users' PCs, a member of its security team said Wednesday. The disclosure comes as attacks targeting the MSVidCtl ActiveX control …

COMMENTS

This topic is closed for new posts.
  1. N2 Silver badge

    They knew a year in advance

    Fuck me Microsoft, you lot were quick off the blocks to fix that one.

  2. WinHatter
    Grenade

    It's all in the name

    IE = Internet Exploitability

    Of course M$ knew, at the time it was considered a feature. A flaw by design if you will.

    But be fair to Apple, no one is using Java on Macs COCOA & Obj-C make Java a heap of pooh. No one, well except the likes of IE users on M$ ... every village has got its idiots.

  3. Michael
    Happy

    trust me...

    "If you use any flavor of Windows XP or Windows Server 2003, you should immediately hit this link and click on the Fix it icon to enable a workaround"

    Brilliant. trust us, just click here and all your problems will be solved. Isn't that how half of the problems start in windows?

  4. Anonymous Coward
    Black Helicopters

    Conspiracy theorists unite

    Fantastic - but isn't FBI in need of such bugs for installing CIPAV? And doesn't it have a power to issue gagging order against publishing the patch?

  5. yossarianuk
    Linux

    What do you expect from McdonaldSoft?

    This is why I cannot trust my computers security to the Mcdonalds of the Software world,

    Sure kids love them, they just have no idea about the hidden dangers of using their products ....

    When the company can do more that flip CD's and say 'Have a nice day' I may be interested.

    I bet Google would not allow such a serious long term vulnerability in their ChromeOS.....

  6. Number6

    Orange?

    Perhaps all the Orange staff need to click on a suitable link and bring their IE6 machines to their knees... (Having first made sure there's no trace of Firefox on their machines.)

  7. ChrisInBelgium

    3 words

    Firefox AdBlock Plus

  8. Anonymous Coward
    Linux

    Simply hilarious statement...

    At the same time, Microsoft engineers "had to make sure that we didn't unintentionally kill something that did have a known use."

    Which implies that there are 48 things in your PC that are there but nobody knows what they are used for? I'm sure that my Ubuntu box would be considered "bloated" if it included 48 things that nobody uses.

    Sorry, I know that this is done in the sacred name of that backward compatibility thing. And yes, I know that probably some obscure intranet page in a corporation has been running untouched for the last 8 years. Of course, it works in IE6 only. And could break because of this fix. But sometimes you need to act for the benefit of the majority and ignore the possibility of being sued or creating a minor inconvenient in your corporate customers.

  9. amanfromMars 1 Silver badge
    Gates Halo

    Reading the Binary Riot Act

    And that article tells us that the problem is still not fixed and may even be unfixable, rendering the PC a Remote RobotIQ Host and the installed Operating System, the Undisclosed Covert Programs' Driver.

    Or would that be likely Impossible/highly Improbable?

    Reading all the waffle and prevarication excusing the inaction and hiding the System's inability to address the situation without having to replace the entire Operating System with a completely New and Different One was educational though. Thanks, Dan.

    There are some who would say that to have correctly recognised the problem would allow one to provide a defensive solution to any future attack, and to provide a solution which would negate the need for Microsoft to rewrite their Operating System/Browser Unit, would be Worth a Large Fortune, which would be better MS Paid for Inhouse Defence, meThinks, than MS Lost to Proxy Attack, for at least then would it be an Added Extra Internal Investment rather than Crippling Catastrophic Increasing Liability.

    However, the Stupidity of Man knows no Bounds, and Microsoft have a History of Monumental Arrogant Blunders/Odd Questionable and Oft Questioned Practices, so one can expect the strangest of things, to be able to happen. :-) ... but only one of them will be made of the Right Stuff.

    [Bill will probably need to put his halo on for that decision]

  10. James 47
    Thumb Up

    'Tis true

    I've had to fix bugs that should be one-line changes but end up being awfully hacky so that existing programs that use that library don't stop working.

    C'est la vie

  11. Daniel 1

    This surely isn't a 'zero day' exploit?

    More of a 365 or 400 day exploit. I think this demonstrates how bad the circular dependencies within Windows have become. You cannot deal with something as supposedly superficial as video-handling within the ActiveX layer of the browser, without eventually bumping things all the way down to COSD and back again. This is why a farm of several hundred machines in Building 26 takes several days to do a single complete Windows 'build' (and each 'build' actually takes many hundred of actual builds, to iron out the dependencies, by a process of attrition). I wonder what those people within Microsoft, who argued that tight integration was a smart idea, are saying, now?

  12. Spabby
    Welcome

    May I be the first...

    not to welcome any sort of overlord, but say the first one to post "my OS is better than your OS" smells of wee.

  13. Anonymous Coward
    WTF?

    Where are the other 4

    49 CLSIDs??? Microsoft list only 45 on their workaround list - http://www.microsoft.com/technet/security/advisory/972890.mspx

  14. Anonymous Coward
    Jobs Horns

    @Daniel1

    Theyre saying *chi ching* as they take the sacks of money to the bank that this has resulted in...

  15. tom currie

    not really 3 million

    the count of 3 million is a bit high. To see the number of sites infected with this current strain, not the number of sites that talk about the b3b redirector site or just happen to use that phrase, try this search:

    http://www.google.com/search?q=%22c.js%22+%22script%22

    I get about 350,000

  16. SilverWave
    WTF?

    LOL Just had this discussion with a colleague - WIN

    On buying a new laptop I came to the conclusion that I could not use a windows OS outside a VM. Ubuntu for security and ease of use and XP or Win7 in a vm if needed...

    I had been considering a dual boot but borked at the thought of having to use and trust a MS OS bare to the internet.

    My disscussion over the comparative benefits of Linux security was:

    MS-Windows-IE:

    Any file can be executed.

    Cant trust MS to fix vulnerabilities - It could take a month!

    Against MS's own interests to even admit to vulnerabilities.

    No independent code review. (So you don't even know the total number of vulnerabilities).

    Ubuntu-FF:

    File Execute permission off by default.

    Lots of ppl looking for vulnerabilities and huge pressure to fix them ASAP.

    Not the target of most exploit code.

    FF no ActiveX

    Bottom line is trust and openness. But if anything it looks like I gave MS too much credit - A WHOLE YEAR!

    WTF.

  17. Paul Crawford Silver badge
    Black Helicopters

    @Conspiracy theorists unite

    Why would they go for MS-only IE exploit when you have Adobe flash to exploit on the majority of PCs (Windows, Linux and Mac)?

    Damn, the are coming for me again...

  18. Anonymous Coward
    FAIL

    No spare resource

    As all the coders were busy sorting out the mess called vista and turning it into windows 7 is a more likely explanation.

    FFS a whole year to patch, MS you are taking the piss and cannot be trusted to manage the source code.

  19. Tom 35 Silver badge

    How?

    "Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support "

    And just how do check? Visit a nasty site and see if your PC gets hosed with spyware?

  20. James O'Brien
    WTF?

    Hold on a second

    "mostly operated by legitimate organizations based in China. "

    WTF??!! There are legitimate organizations in China??

    Surely it aint so. I thought all Chinese organizations were government run and operated with turning out the cheapest product for the masses as the bottom line? Lets not forget the espionage angle as well. And the hacking. And the farming. And the oppressing of their own citizens.

  21. Mike Pellatt
    Jobs Horns

    ActiveX. Again.

    I seem to remember that when M$ proposed the ActiveX "architecture", every unbought security expert threw up their hands in horror, screaming "DON'T DO THAT".

    But M$ did do that, proclaiming (as always) that it was "what their customers were demanding", and that the benefits outwieghed the risks.

    Permanent vulnerability was what their customers were demanding, clearly.

    Well, it is Sastan's Spawn, isn't it ??

  22. Anonymous Coward
    Linux

    Surely you jest?

    This reminds me of an aquaintance of mine; who AFTER getting nabbed for driving around in a stolen car for several days - he told the police that he wanted to report that his car had been stolen.

    The copper said, "Surely you jest"......

    Microsoft's wizard patches and "strong security" settings and all..... Microsoft is like having a 1000lb gorilla at the front door, while all the sneak thieves come in via the back door and the side windows and cellar, and they stick a gun up it's arse and pull the trigger..

    It's security dept is run by 8th grade drop outs..... and the tech support is run by "off shore call centers".

    After years of using really shonky microsoft OS's and software, and now having personally experienced just how EASY it it to have a system totally walked over by malware, I now REFUSE to have XP as an operating system on ANY net connected PC.

  23. Enigma9
    Gates Horns

    Internet Exploiter

    Internet Exploiter, Internet Exploder.... Oh wait no it's crappy Explorer, lets have a moment to reflect on how many explorers went into the Jungle only to be eaten by the natives.

  24. Ken Hagan Gold badge
    FAIL

    It's still not fixed

    Making a Fixit available is no bleedin' use! Outside of carefully managed coporate environments, what proportion of the XP user base do you think will have heard of this problem and what proportion of *that* do you think will have taken the trouble to seek out and manually apply the fix?

    If this is safe enough to release as a Fixit, it is safe enough to release on Windows Update, where it will be applied to a far wider user base and might actually do some good.

  25. joe 14
    Go

    re: Hold on a second

    you forgot the melemine laced milk and lead based paint used on toys

    LOL

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019