Microsoft may have known about critical IE bug for 18 months | The Coffeehouse

Ubuntu

Long story short: MS proved it again that their poor reputation when it comes to security is well deserved. BTW not that long ago I argued on C9 why Firefox is more secure than IE because it doesn't support ActiveX and we didn't have to wait long for a new 0-day vulnerability.

Now let me hear that "it's not a bug - it' a feature" crowd Big Smile

PS

- MS will support Win XP for longer than Vista therefore it should care more about an OS it gives long-term support to

- advice given by security experts because of this threat: don't use IE

- why should the user pay to upgrade to Vista to be able to have more security on the net when you can switch to Firefox for free (and have a more standards-compliant browser thus web pages look prettier)

elmer
I'm on my very last life.

- why should the user pay to upgrade to Vista to be able to have more security on the net when you can switch to Firefox for free (and have a more standards-compliant browser thus web pages look prettier)

...and yet, they choose not to.

Could it be that some people don't actually like FireFox ?

RoyalSchrubber
One. How many time travellers does it take to change a lightbulb?

Yes, Canonical excels Microsoft in everything. In 11 days it will be 24 months and this critical bug still has not been fixed. - https://bugs.launchpad.net/ubuntu/+bug/127116

It's unlikely that they are going to fix it, as some niners have pointed out before it's architectural flaw and linux has plenty of them. Just like this one http://rixstep.com/2/20070201,00.shtml . Or how system software don't authenticate origin of password asking dialogs.

Not saying Windows isn't broken, Linux just surpasses it in brokenness.

Dodo
I'm your creativity creator™ :)

In reply to RoyalSchrubber

#Jul 9th @ 6:04 AM

Bug: Design flaw
Severity: Security of computers is heavily impacted
Details: Computers are operated and maintained by the user. The user may be dumb or otherwise not pay attention to what is going on.

Solution: Remove the user interface.

I'm just kidding. Smiley

Ubuntu

In reply to elmer

#Jul 9th @ 6:01 AM

Could it be that some people don't actually like FireFox ?

Could it be that IE comes preinstalled with Windows and some people don't have the privileges to install a different browser (corporate environment) or don't know that they could install a different browser (and they still use the OS that came preinstalled when they bought it).

Ubuntu

In reply to RoyalSchrubber

#Jul 9th @ 6:04 AM

In 11 days it will be 24 months and this critical bug still has not been fixed.

I think there is a more severe Ubuntu bug described here (which might be related to yours).

DCMonkey
Monkey see, monkey do, monkey will destroy you!

Yay! Switch to Firefox 3.5! Where some bright programmer decided it would be a good idea to gather random data for the security subsystem by scanning all the files in your temp folder and IE cache every time it starts!

https://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=381674&forumId=1

magicalclick

In reply to DCMonkey

#Jul 9th @ 10:52 AM

That's weird solution indeed. Why would they advice to clear stuff using IE to solve their performance issues? Not to mention the site is not a secured HTTP connection....... hum....... not sure what that is, but I take best course of action is click NO.

AndyC

In reply to DCMonkey

#Jul 9th @ 10:52 AM

Wow. What do you have to smoke before you're allowed to design a feature for Firefox? Who could possibly think that was a good idea?

Larry Osterman

Ummm.. Actually there's no "may" about it: http://blogs.technet.com/msrc/archive/2009/07/09/questions-about-timing-and-microsoft-security-advisory-972890.aspx

[blockquote]

Before I go into the details, the key thing I want customers to understand is that this is an issue that was responsibly reported to us and we have been driving in our standard process towards a security update. While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete that investigation and deliver a security update that you can deploy broadly with confidence. Like Jerry said, we’re targeting next Tuesday to release this update.

In terms of timeline, we received the original report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The CVE number assigned to this, CVE-2008-0015, can make it look older but that’s because IBM (like Microsoft) gets CVE numbers in large blocks and assigned them sequentially to issues.

...

We always aim to be thorough in our investigations. For any issue that is reported to us, we strive to address not only the vulnerabilities brought to us but also to find any similar or related issues to ensure the update provides as comprehensive security as possible. And once we confirmed that issue we expanded our investigation to be thorough.

In the case of this particular issue, part of our investigation showed other interfaces were vulnerable, in this ActiveX Control, not only the one seen used in attacks.

[/blockquote]

According to the blog post, even though the vulnerability was disclosed to MSFT in the spring of 2008, attackers only discovered and started using it relatively recently (just before it was scheduled to be released).

The bottom line is that doing due dilegence takes time. It's far better to take care when making a security fix than it is to break users browsing experience.

http://starkravingfinkle.org/blog/2008/03/extension-developers-breaking-news-part-2/

http://news.cnet.com/Apple-OS-X-security-fix-busts-64-bit-support/2100-1002_3-5837406.html

And MSFT has had issues too: http://www.betanews.com/article/MS-IE-Patch-Causing-Browser-Crashes/1155745873

That's why you take your time in testing these fixes, especially when there's no evidence that attackers are exploiting the vulnerability.

elmer
I'm on my very last life.

In reply to Ubuntu

#Jul 9th @ 9:38 AM

That's utter nonsense of a reply.

If a corporate user is not allowed to replace IE with Firefox, it's because the company has decided that they don't want Firefox installed... i.e. Their Choice.

If an end-user doesn't know enough to be able to obtain FireFox via the net, that's not MS's fault for providing them with IE... it's FireFox's fault for not marketing themselves well enough. In simple terms: They have trouble giving it away for free.

Nobody is forced to use IE, people have a choice, and it's an easy enough one to make... and yet, people still stay with IE... because it simply does what they need it to do and most people don't care about the areas it's lacking in.