That's what I expected five days ago [webmasterworld.com]. At least they are now getting the picture, even if it is after being publicly slapped by both Germany and France.
OK, Redmond, you've now accepted your action point. So where's the patch?
For Microsoft, the "escalating threat environment" mentioned in my first quote is the threat to their image, not the actual hole in their browser. :) I assume they don't actually have a patch currently, so they're simply making noise and promises in an attempt to reassure.
This question may sound stupid, but could anybody clarify what "out of band" really means in this context? my English is good, but apparently I missed that one ;)
"Out of band" is Microsoft-speak for releasing a patch on a day other than the monthly "Patch Tuesday" - MS usually releases all patches on a strict schedule so that system administrators can plan ahead. Out of band is the exception.
Our friends at SANS have a touch more. Not good news:
if you restart your machine the download is available if your set up for automatic mine has updated the new patch.
|confusion about what customers can do to protect themselves |
PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.
|PR machine: there is no confusion whatsoever, customers should just drop IE/Windows. |
Amen. But, we need to realize how difficult dropping IE would be for so many large firm's intranets? A lot of these jack-leg systems were built assuming IE was IT. Then folks (everyone from clerks to VPs) go home and want to see the same browser they use at their jobs.
It's one of the few cases in the internet biz where major, sustainable benefits did actually fall to the early mover.
Microsoft Security Bulletin Advance Notification for January 2010 [microsoft.com]
|This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack. |
This patch should start rolling out via the usual update mechanisms from 10am PST on January 21st. The update will require a restart.
My biggest concern? This patch has certainly been rushed. Has it been tested properly?
|My biggest concern? This patch has certainly been rushed. Has it been tested properly? |
That's come to be my concern with any software I install on my machine... more so with a patch having this particular history.
Any early adopters with feedback on this patch before I install it? ;)
My computer running IE6 got hit by this patch today. I installed the update and nothing blew up, but then again we use Firefox so this update was more of a covering bases thing. My machine with IE7 has not been offered an update yet.
|This patch has certainly been rushed. |
OK, I'll take it all back, because MS knew of Aurora exploit four months before Google attacks [theregister.co.uk]:
|Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. (...) BugSec's bulletin states that it reported the bug to the software giant on 26 August. |
So MS has had months to prepare their patch. Of course, this means that "my biggest concern" is not the patch quality, but the five months that MS sat on their hands before being forced into releasing a solution, only due to the pressure of bad publicity.
Google-haters might suggest that Google's timing also served to discredit IE security compared to Chrome. I mean, Google probably knew the patch was ready and expected in February, so why not hurt MS by jumping the gun on an IE zero-day? I'll let others flesh out the conspiracy theory ;)