The past few days a newly discovered flaw in the Internet Explorer web browser has been making its rounds across the internet. The flaw allows people with malicious intent to install viruses or malware onto affected computers running Windows XP or Server 2003 (2000, Vista, and Server 2008 are not affected). Even though it was assumed this flaw was new, Microsoft was actually alerted of this issue a year ago.
The flaw was reported to Microsoft in 2008, and ever since, Microsoft has been working to get a fix out. At least, that’s what the security researcher who actually discovered the flaw said. He explains that the nature of the flaw is one that makes it difficult to fix. “The actual mechanics of the vulnerability aren’t standard and that’s kind of what took Microsoft so long,” he said, “They were definitely working diligently to fix the problem. It was more the nature of the flaw that took so much time.”
Apparently, Microsoft agrees with this viewpoint (surprise). “Not every issue is the same as far as the level of work we need to do to be comprehensive in making sure we fix not just the issue reported to us but any similar issues,” Microsoft’s Mike Reavey, director of the Microsoft Security Response Center, said, “If we release an update that breaks apps it doesn’t protect anybody because they won’t install it.”
A temporary fix is out now, so if you’re running Windows XP or Windows Server 2003, go to this page and click the big fix it button.
MS has had many holes they have known about for long long periods of time that are fixed way after (or are at least made public way after). what i am corious about is if this is getting attention now, does that mean someone or somethings has been exploiting it?
From what I’ve read the exploit has been employed for about a month and has already taken some traction.
Not much more, could Google it… but I’m lazy…
If Microsoft was warned of this a year ago, that’s not too bad.
Of course, I’m joking; if they were warned a year ago, then the problem should have been fixed 364 days ago. But look at Apple – they were warned of a particular dumb security problem four years before they fixed it. The infamous one; where Applescripts could tell setuid root programs to launch and “run a shell script” as root.
Well, Apple didn’t integrate Samba fixes for 2 years, right? It’s surprising that they’ve put out security fixes for Safari 4, twice since it was released. That probably means that the iPhone version is hanging out in the open, but there are only a few million users, right?
Well, IE and WinXP make a powerful combination for looters anyway and almost always has. I can’t count all the times the t.v. news was talking about identity theft as the user was videotaped using IE. The interesting thing about this one is that Win2000 isn’t affected and that Vista isn’t affected either.
Without being overly paranoid, was Microsoft using this “entry point” for its own purposes given that Windows XP has been its dominant business/end-user product for about 6-7 years now?