Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: incrediBILL
We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability. (...) Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.
Amen. But, we need to realize how difficult dropping IE would be for so many large firm's intranets? A lot of these jack-leg systems were built assuming IE was IT. Then folks (everyone from clerks to VPs) go home and want to see the same browser they use at their jobs.
It's one of the few cases in the internet biz where major, sustainable benefits did actually fall to the early mover.
This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.
This patch should start rolling out via the usual update mechanisms from 10am PST on January 21st. The update will require a restart.
My biggest concern? This patch has certainly been rushed. Has it been tested properly?
This patch has certainly been rushed.
OK, I'll take it all back, because MS knew of Aurora exploit four months before Google attacks [theregister.co.uk]:
Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. (...) BugSec's bulletin states that it reported the bug to the software giant on 26 August.
So MS has had months to prepare their patch. Of course, this means that "my biggest concern" is not the patch quality, but the five months that MS sat on their hands before being forced into releasing a solution, only due to the pressure of bad publicity.
Google-haters might suggest that Google's timing also served to discredit IE security compared to Chrome. I mean, Google probably knew the patch was ready and expected in February, so why not hurt MS by jumping the gun on an IE zero-day? I'll let others flesh out the conspiracy theory ;)