As I discussed in my last post, the vulnerability in Internet Explorer used against Google and other big companies was a pretty big deal. The reason being that this kind of security hole can be exploited to run malware when a web page is visited. This concept is not new, in fact it's been with us since 2006-2007. When the attacked is performed successfully the victim just visits a web site with the affected browser and becomes infected with malware. In the background, the web page exploits the hole and instructs the flawed browser to download the malicious component and run it.
In the Google case, the hole affected all Internet Explorer versions from 6 to 8. Microsoft announced that the exploit as written would not affect version 7 and 8 if you had enabled a security option called "DEP" (this is on by default though). After the exploit was made public, people modified it to attack effectively all Internet Explorer versions so the DEP suggestion didn't help.
At some point, the French and German governments recommended publicly to not to use Internet Explorer as your browser of choice. With this much pressure coming from all sides, Microsoft today finally released the patch in a special release, something they don't like to do (for some weird unknown reason... if it's necessary, it should be done).
Apparently, Microsoft had known about this flaw in their software since September but it has been sitting in their queue for quite a while until the bad guys discovered it and took advantage. We probably won't ever know the full story, but from the outside it doesn't look very responsible to leave something unsolved for so long waiting for a disaster to happen.
This issue, in my opinion, opens an internal debate in Microsoft about how their patching process should work going forward. It's clear that the current workflow is failing and there should be a way to fix it somehow. This is not the last time we are going to suffer a zero-day exploit attack so the more prepared we are, the better we'll fare when it comes.
Subscribe to:
Post Comments (Atom)
My guess is Microsoft has a large pile of possible exploits similar to this one. There is not enough time to patch, test and deploy every one of them. So they have to prioritize based on severity, likelihood of exploitation and activity in the wild. I'm not intending to say it is the right attitude, only that I can understand the scale of the problem.
ReplyDeleteI understand. Still, four months is a little long to leave this laying in the queue. I'm guessing this story has made them change the process though :)
ReplyDelete