Saturday, January 23, 2010

Microsoft knew of flaw in September

Remember all the recent fuss about the critical flaw in IE that led to the attacks against Google? At the time, it seemed to be just another example of buggy IE. But it was important enough for Microsoft to step up its patch cycle, and release an emergency fix.

Turns out, Microsoft knew about the vulnerability since September.

Microsoft security program manager Jerry Bryant wrote in a blog posting this week:
When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.
(Emphasis mine.)

So this critical security issue was reported to Microsoft 4 months ago, but sat on it. Microsoft says they originally intended to release the fix in February, and only moved it up because of the attack on Google. Giving Microsoft the benefit of the doubt on that one, that means the bug would have sat exposed, unaddressed for 5 months, waiting for an attacker to use it. Which they eventually did.

To compare, Free / open source software has bugs too. Sure, some open source projects may have certain bugs sitting in them for months before someone gets around to them. To be fair, though, critical bugs (like security) get fixed pretty damn fast in F/OSS.

I think I found another reason to recommend Linux.


  1. Microsoft's response to the German and French announcements was to deny that there was any sort of problem. People shouldn't change browsers, there's really nothing wrong. So MS lied to the world. I wonder if they'll muzzle their programmers now since the programmers contradicting the propagandists just makes MS look like a pack of liars.

  2. But it is not as though Microsoft would gain some business advantage over Google by having this flaw. It's not like Mirosoft is also in the search engine business or whatver.


Note: Only a member of this blog may post a comment.