Enough with the excuses! When do you think Microsoft will get around to patching this *FIVE MONTH OLD* flaw?

Help me understand this: MS determines it's only a DoS issue so IE users must wait 5-6 months to get a fix? How exactly does that work? Stop blaming the researchers and point the finger where it belongs.

Hold on a second. I never said Microsoft shouldn't be accountable for this flaw. Far from it. But this PoC code that is showing that it can execute arbitrary code, and not just a DoS, is BRAND new. The vendor (in this case Microsoft) was NOT given an opportunity to escalate this and fix it properly. And to start with, the original report by Benjamin Tobias Franz was irresponsibly disclosed, which allowed the UK group to use his research as a base for this exploit!

The criticality of this flaw as a DoS is much lower than that over an arbitrary code execution flaw. This significantly increases the impact that this attack pattern has on the real world, and the impact it may have on the Internet as a whole.

I will put the blame on irresponsible disclosure. I stand by that assessment. If you want to slag on MS for not releasing a fix in time, by all means go ahead. I agree that the length of time for the original report is much to lengthy. But that doesn't absolve the researchers from their responsibilities. Far from it.

For the record, Microsoft has had less than a day to deal with this new threat to this vulnerability. Since then, they have released a Microsoft Security Advisory (911302) and are now working to resolve the more critical issue.

Hear, hear Dana! Computer Terrorists essentially disclosed a new flaw that is related to the original DoS but has new consequences Microsoft couldn't have seen coming.

I think the industry needs some kind of karma mechanism to counter this kind of glory hounding.

In the meantime, thanks Computer Terrorists for living up to your name and making the internet a worse place.

I disagree, Microsoft have had plenty of time to look at this - 6 Months!!!!!!!

I find hard to believe that this kind of exploit was not already being used by hackers to get at your computer. Now it’s all out in the open, at least we know how to counter the threat, and perhaps now Microsoft can finally give it the proper due care and attention it deserves.

Rich

let's all put the blame on the researchers and just forget the fact that the "bugs" shouldn't be there in the first place...

Sidenote: IE Froze on my system instead of launching calc.exe. I had to kill the process.

I agree with this being irresponsible disclosure. On the other hand, why has MS not patched the 6 month old DoS problem ? No ..... not a flame bait ....... I mean it really. Is there any technical reason for this ? or was it not addressed immediately since the threat had a low rating ?

S.Vidyaraman

I guess if IE is your last line of defense then you should be worried.

firewalls, proxies, virus software, root kit defenders, spyware detectors, etc...

This isn't such a big deal.

The whole notion of "responsible disclosure" is ridiculous to begin with. Like the "laws of war" it attempts to make an unpalatable practice somehow palatable. Bottom line: bad guys don't follow rules.

People should already have defenses in place to protect against any 0day (which this isn't really, btw) in the wild. But they don't because we've led them to believe that somehow we will find all the bugs before the bad guys. Foolish. The really bad guys laugh at this practice because it is a great distraction for them.

Note to everyone: please don't hire any developer who thinks MS should just "not have bugs to begin with" - they are either fooling themselves or they are hypocrites. Either way, they crash and burn on any large project.

Sorry D,
I have to agree, Microsoft are a global, $300bn company - exactly __why__ didn't they patch this the same month is was exposed? Lack of resource? Bad press? Testing took 6+ months???!!!??

I cannot think of ___any___ good reason for this, except for:
a) malice, hiding the problem.
b) incompetence ("Oops! We checked the source, and yea, it's not DoS it's remote code exploitation after all.")

If Ford had had such an problem with there products, they would be forced to recall their product.

With Microsoft: "Well, if we get bad press, we'll throw together a poorly tested patch, like last time." appears to be MS policy.

How many more unpatched remote exploits are MS sitting on, with __NO__ intention to patch? How many of these are already being exploited to steal from banks, break into companies/governments and install malware?

Nobody knows, but after today, it's one less.

6 months ago MS decided, without their knowledge, but on their behalf, that their systems should be insecure....

Tomorrow billions of people will have the _choice_ and information required to protect their own systems from the attacks that (almost certainly) professional blackhats already know about and are exploiting.

Pete,

You are right. Bad Guys don't follow rules. With that said though, security researchers who want to gain respect in the eyes of their peers need to step up and live and work above that. Following a code of ethics (I personally try to follow the ISC2 standard) on how you conduct yourself in the information security world shouldn't just be an after thought... it should be a personality trait.

My point here is that if a security group wants to be looked upon as professional and be part of the positive forces in the infosec community, they should think deeper into their actions before blindly posting exploit code. I fully understand that they wish to be acknowledged for their work, and show how 'good' they are. However, I don't believe the actions here are helping the industry... they are hindered it.

Everyone has such interesting comments on this post about software assurance and testing levels. Instead of answering each one, I hope to do a post later tonight to discuss this further. Some of your vexation is quite understandable; others show that some people don't understand the software development lifecycle as it relates to software of today. Hopefully I can clear that up tonight.

I don't wish to turn this into a flamefest and I'm not here to defend the actions of the so-called researchers who released the exploit.

That said, isn't it Microsoft's responsibility to investigate the original notice *SIX MONTHS AGO* to determine that it was not simply a DoS issue? Isn't that the stated reason/s (from MS) why vulns take so long to get patched?

They typically say they are investigating all known attack vectors during patch creation yet, something this evil was sitting there for *SIX MONTHS*. Why didn't Microsoft spot this code-execution issue? Why isn't it fixed yet?

That is the issue. The debate about disclosure is a distraction that plays into the hands of Microsoft's irresponsible behavior. That's it, I'm done.

I wanted to address S.Vidyaraman's comment:

"On the other hand, why has MS not patched the 6 month old DoS problem ? No ..... not a flame bait ....... I mean it really. Is there any technical reason for this?"

At least you're asking, and that's a good thing. I think a lot of the folks who jump to lower the boom on MS in incidents like this are forgetting the incredibly large ecosystem that has formed around MS products, and thus the incredibly complex minefield they walk when it comes to making any change to their software (whether it's a bug fix, a security patch, a new feature, or something else).

Spend a little time reading Raymond Chen's weblog for the flavor of what I am talking about. He regularly surprises me by relating the tale of how one bug or another becomes something that one or more customers depend upon for their own software or internal processes to work. Remember that MS's customers aren't just corporations and home users (you and me) but thousands and thousands of OEMs, software vendors, governments, and more. One man's ceiling is another man's floor - and so one person's bug is another person's feature.

This isn't astroturf (I have no relation to Microsoft) and it isn't an apology for MS's behaviour. All I am suggesting is that anyone who is boiling mad at MS over this should stop and consider all the possible reasons MS might have delayed a response to this particular issue ... and my prior paragraph is just one subset of the total set of possibilities!

Computer Terrorism are, or claim to be, a legitimate security business interested in increasing the level of security for their current and potential clients. Releasing exploit code into the wild without even attempting to follow responsible disclosure rules is a bad way to go about that.

Negative. Call your stockbroker and tell him that the
investing class will be much better off if he can see his
way clear to sell common shares at 50% below the
ask. Coddling defective software prolongs the problem.