Turns out, Microsoft knew about the vulnerability since September.
Microsoft security program manager Jerry Bryant wrote in a blog posting this week:
When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.(Emphasis mine.)
So this critical security issue was reported to Microsoft 4 months ago, but sat on it. Microsoft says they originally intended to release the fix in February, and only moved it up because of the attack on Google. Giving Microsoft the benefit of the doubt on that one, that means the bug would have sat exposed, unaddressed for 5 months, waiting for an attacker to use it. Which they eventually did.
To compare, Free / open source software has bugs too. Sure, some open source projects may have certain bugs sitting in them for months before someone gets around to them. To be fair, though, critical bugs (like security) get fixed pretty damn fast in F/OSS.
I think I found another reason to recommend Linux.
Microsoft's response to the German and French announcements was to deny that there was any sort of problem. People shouldn't change browsers, there's really nothing wrong. So MS lied to the world. I wonder if they'll muzzle their programmers now since the programmers contradicting the propagandists just makes MS look like a pack of liars.
ReplyDeleteBut it is not as though Microsoft would gain some business advantage over Google by having this flaw. It's not like Mirosoft is also in the search engine business or whatver.
ReplyDelete