Comment Feed for Microsoft may have known about critical IE bug for 18 months (Coffeehouse on Channel 9)

Re: Re: Re: Microsoft may have known about critical IE bug for 18 months

Elmer — Fri, 10 Jul 2009 03:26:18 GMT

That's utter nonsense of a reply.

If a corporate user is not allowed to replace IE with Firefox, it's because the company has decided that they don't want Firefox installed... i.e. Their Choice.

If an end-user doesn't know enough to be able to obtain FireFox via the net, that's not MS's fault for providing them with IE... it's FireFox's fault for not marketing themselves well enough. In simple terms: They have trouble giving it away for free.

Nobody is forced to use IE, people have a choice, and it's an easy enough one to make... and yet, people still stay with IE... because it simply does what they need it to do and most people don't care about the areas it's lacking in.

Re: Microsoft may have known about critical IE bug for 18 months

Larry Osterman — Fri, 10 Jul 2009 02:27:26 GMT

Ummm.. Actually there's no "may" about it: http://blogs.technet.com/msrc/archive/2009/07/09/questions-about-timing-and-microsoft-security-advisory-972890.aspx

[blockquote]

Before I go into the details, the key thing I want customers to understand is that this is an issue that was responsibly reported to us and we have been driving in our standard process towards a security update. While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete that investigation and deliver a security update that you can deploy broadly with confidence. Like Jerry said, we’re targeting next Tuesday to release this update.

In terms of timeline, we received the original report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The CVE number assigned to this, CVE-2008-0015, can make it look older but that’s because IBM (like Microsoft) gets CVE numbers in large blocks and assigned them sequentially to issues.

...

We always aim to be thorough in our investigations. For any issue that is reported to us, we strive to address not only the vulnerabilities brought to us but also to find any similar or related issues to ensure the update provides as comprehensive security as possible. And once we confirmed that issue we expanded our investigation to be thorough.

In the case of this particular issue, part of our investigation showed other interfaces were vulnerable, in this ActiveX Control, not only the one seen used in attacks.

[/blockquote]

According to the blog post, even though the vulnerability was disclosed to MSFT in the spring of 2008, attackers only discovered and started using it relatively recently (just before it was scheduled to be released).

The bottom line is that doing due dilegence takes time. It's far better to take care when making a security fix than it is to break users browsing experience.

http://starkravingfinkle.org/blog/2008/03/extension-developers-breaking-news-part-2/

http://news.cnet.com/Apple-OS-X-security-fix-busts-64-bit-support/2100-1002_3-5837406.html

And MSFT has had issues too: http://www.betanews.com/article/MS-IE-Patch-Causing-Browser-Crashes/1155745873

That's why you take your time in testing these fixes, especially when there's no evidence that attackers are exploiting the vulnerability.

Re: Re: Microsoft may have known about critical IE bug for 18 months

AndyC — Thu, 09 Jul 2009 21:39:05 GMT

Wow. What do you have to smoke before you're allowed to design a feature for Firefox? Who could possibly think that was a good idea?

Re: Re: Microsoft may have known about critical IE bug for 18 months

magicalclick — Thu, 09 Jul 2009 18:48:52 GMT

That's weird solution indeed. Why would they advice to clear stuff using IE to solve their performance issues? Not to mention the site is not a secured HTTP connection....... hum....... not sure what that is, but I take best course of action is click NO.

Re: Microsoft may have known about critical IE bug for 18 months

DCMonkey — Thu, 09 Jul 2009 17:52:07 GMT

Yay! Switch to Firefox 3.5! Where some bright programmer decided it would be a good idea to gather random data for the security subsystem by scanning all the files in your temp folder and IE cache every time it starts!

https://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=381674&forumId=1

Re: Re: Microsoft may have known about critical IE bug for 18 months

Ubuntu — Thu, 09 Jul 2009 16:44:30 GMT

In 11 days it will be 24 months and this critical bug still has not been fixed.

I think there is a more severe Ubuntu bug described here (which might be related to yours).

Re: Re: Microsoft may have known about critical IE bug for 18 months

Ubuntu — Thu, 09 Jul 2009 16:38:41 GMT

Could it be that some people don't actually like FireFox ?

Could it be that IE comes preinstalled with Windows and some people don't have the privileges to install a different browser (corporate environment) or don't know that they could install a different browser (and they still use the OS that came preinstalled when they bought it).

Re: Re: Microsoft may have known about critical IE bug for 18 months

Dorian Muthig — Thu, 09 Jul 2009 14:15:08 GMT

Bug: Design flaw
Severity: Security of computers is heavily impacted
Details: Computers are operated and maintained by the user. The user may be dumb or otherwise not pay attention to what is going on.

Solution: Remove the user interface.

I'm just kidding. :)

Re: Microsoft may have known about critical IE bug for 18 months

RoyalSchrubber — Thu, 09 Jul 2009 13:04:35 GMT

Yes, Canonical excels Microsoft in everything. In 11 days it will be 24 months and this critical bug still has not been fixed. - https://bugs.launchpad.net/ubuntu/+bug/127116

It's unlikely that they are going to fix it, as some niners have pointed out before it's architectural flaw and linux has plenty of them. Just like this one http://rixstep.com/2/20070201,00.shtml . Or how system software don't authenticate origin of password asking dialogs.

Not saying Windows isn't broken, Linux just surpasses it in brokenness.

Re: Microsoft may have known about critical IE bug for 18 months

Elmer — Thu, 09 Jul 2009 13:01:49 GMT

- why should the user pay to upgrade to Vista to be able to have more security on the net when you can switch to Firefox for free (and have a more standards-compliant browser thus web pages look prettier)

...and yet, they choose not to.

Could it be that some people don't actually like FireFox ?