Microsoft has decided to rush out a fix for a flaw in Windows, saying that the problem has become too serious to ignore. The flaw, which will be patched on Tuesday, was originally disclosed to Microsoft in December, but it was not publicly reported until last week. The bug lies in the way Windows processes .ani Animated Cursor files, which are used to create cartoon-like cursors in Windows.
To read all comments associated with this story, please click here.
Member since:2005-07-08
You just answered your own question.
One word: bureaucracy.
Member since:2005-07-12
>> How does a major security threat like this take
>> almost 4 MONTHS to be patched?
Probably because dozens if not hundreds of programs call the vulnerable part of the API, since cursor and icon handling is part of the base of most every program - fixing it is one thing, fixing it and making certain you don't break every application out there is something quite different.
ESPECIALLY when you can't expect everyone to just 'recompile' all the effected programs (a drawback of binary distribution) like you can in the open source world, or worse, because it's all binaries you get programmer trying to take 'shortcuts' for speed or just out of ignorance.
Remember, writing a program for linux takes actual skill and knowledge, while any twelve year old script kiddy can make a program in visual basic... and if MS broke those programs from this fix, you'd have a LOT more complaints than you would from waiting a few months to fix a vulnerability.
Especially with the number of 'corporate' programs that are written in VB, and as such the intellectual equivalents of what a 12 year old script kiddy could churn out in an hour. (and probably took the corporate programmer with multiple doctrates in computer science two weeks to get to the point of being functional)
Edited 2007-04-03 03:08
Member since:2007-02-17
{Remember, writing a program for linux takes actual skill and knowledge, while any twelve year old script kiddy can make a program in visual basic}
Your statement is unfortunately now out of date, since February this year.
http://reddevnews.com/features/article.aspx?editorialsid=708
"Mono enables Windows .NET developers to code in C# or VB.NET using Visual Studio and .NET 1.1 or 2.0 development technologies, and then compile and run .NET code base on multiple platforms, including Windows, Linux, Sun Solaris, Unix and Mac OS X. Mono supports multiple languages, and both open source and commercial compilers. In February, Mono released the Mono Visual Basic Compiler, which .NET developers can use to program in Visual Basic.NET. The new compiler is written in Visual Basic and is "self-hosting."
Member since:
2005-07-07
How does a major security threat like this take almost 4 MONTHS to be patched? The largest, richest software company in the world can't manage to do something that a group of "volunteers" manages to do all the time?
I'm really beginning to think that Microsoft and many of the other commercial software companies just don't care. Vulnerabilities are fine, sh*t happens, but for f*ck sakes, patch them before they can be exploited!