A patch in time saves nine
Sat, Jun 26 2004 17:47
A few weeks ago I bitched about how I believed the move by MS to monthly updates was leaving customers vulnerable. There was a “day zero” exploit and MS till this date has done nothing to inform customers about the potential problem and still not fix. That’s almost three weeks since information was publicly available on the internet on how to download and run any application you like to a users computer (iow: WIDE OPEN).
Microsoft’s logic on this seems to have been that maybe it wasn’t wide spread. That is, instead of pro-active, they decided to wait and be reactive. Well guess what has happened?
There is news of a recent IIS exploit that is downloading code to user’s machines and executing it. Sound’s familiar right? The hypothesis I’ve read to date on it indicate it might be taking advantage of known exploits on un-patched severs, and then exploiting more known vulnerabilities on the clients, vulnerabilities for which a patch is not available. Susan Bradley has posted some good tips for client machines, but really for the more tech savy part of society, not for the moms and pops and children who trust Microsoft to keep them informed and patched.
It’s not that monthly security rollups are wrong or bad, it’s the leaving it for so long without a patch, without advising their customers which I believe is negligent. MS has know about this potentially damaging exploit for the best part of three weeks now, and yet they have neither supplied a patch or notified their customers. Bad, bad, bad, BAD !!
UPDATE: Tech Republic seems to confirm my worse fears
- The tactic is not new. Earlier this month, an independent security researcher found an aggressive advertising program, known as adware, that installed itself onto a victim's computer via the same two flaws in Internet Explorer.
This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks