They knew a year in advance
Fuck me Microsoft, you lot were quick off the blocks to fix that one.
Microsoft was aware of a critical vulnerability in an Internet Explorer component at least 12 months before attackers started targeting it in lethal exploits that take full control of end-users' PCs, a member of its security team said Wednesday. The disclosure comes as attacks targeting the MSVidCtl ActiveX control …
IE = Internet Exploitability
Of course M$ knew, at the time it was considered a feature. A flaw by design if you will.
But be fair to Apple, no one is using Java on Macs COCOA & Obj-C make Java a heap of pooh. No one, well except the likes of IE users on M$ ... every village has got its idiots.
This is why I cannot trust my computers security to the Mcdonalds of the Software world,
Sure kids love them, they just have no idea about the hidden dangers of using their products ....
When the company can do more that flip CD's and say 'Have a nice day' I may be interested.
I bet Google would not allow such a serious long term vulnerability in their ChromeOS.....
At the same time, Microsoft engineers "had to make sure that we didn't unintentionally kill something that did have a known use."
Which implies that there are 48 things in your PC that are there but nobody knows what they are used for? I'm sure that my Ubuntu box would be considered "bloated" if it included 48 things that nobody uses.
Sorry, I know that this is done in the sacred name of that backward compatibility thing. And yes, I know that probably some obscure intranet page in a corporation has been running untouched for the last 8 years. Of course, it works in IE6 only. And could break because of this fix. But sometimes you need to act for the benefit of the majority and ignore the possibility of being sued or creating a minor inconvenient in your corporate customers.
And that article tells us that the problem is still not fixed and may even be unfixable, rendering the PC a Remote RobotIQ Host and the installed Operating System, the Undisclosed Covert Programs' Driver.
Or would that be likely Impossible/highly Improbable?
Reading all the waffle and prevarication excusing the inaction and hiding the System's inability to address the situation without having to replace the entire Operating System with a completely New and Different One was educational though. Thanks, Dan.
There are some who would say that to have correctly recognised the problem would allow one to provide a defensive solution to any future attack, and to provide a solution which would negate the need for Microsoft to rewrite their Operating System/Browser Unit, would be Worth a Large Fortune, which would be better MS Paid for Inhouse Defence, meThinks, than MS Lost to Proxy Attack, for at least then would it be an Added Extra Internal Investment rather than Crippling Catastrophic Increasing Liability.
However, the Stupidity of Man knows no Bounds, and Microsoft have a History of Monumental Arrogant Blunders/Odd Questionable and Oft Questioned Practices, so one can expect the strangest of things, to be able to happen. :-) ... but only one of them will be made of the Right Stuff.
[Bill will probably need to put his halo on for that decision]
More of a 365 or 400 day exploit. I think this demonstrates how bad the circular dependencies within Windows have become. You cannot deal with something as supposedly superficial as video-handling within the ActiveX layer of the browser, without eventually bumping things all the way down to COSD and back again. This is why a farm of several hundred machines in Building 26 takes several days to do a single complete Windows 'build' (and each 'build' actually takes many hundred of actual builds, to iron out the dependencies, by a process of attrition). I wonder what those people within Microsoft, who argued that tight integration was a smart idea, are saying, now?
the count of 3 million is a bit high. To see the number of sites infected with this current strain, not the number of sites that talk about the b3b redirector site or just happen to use that phrase, try this search:
http://www.google.com/search?q=%22c.js%22+%22script%22
I get about 350,000
On buying a new laptop I came to the conclusion that I could not use a windows OS outside a VM. Ubuntu for security and ease of use and XP or Win7 in a vm if needed...
I had been considering a dual boot but borked at the thought of having to use and trust a MS OS bare to the internet.
My disscussion over the comparative benefits of Linux security was:
MS-Windows-IE:
Any file can be executed.
Cant trust MS to fix vulnerabilities - It could take a month!
Against MS's own interests to even admit to vulnerabilities.
No independent code review. (So you don't even know the total number of vulnerabilities).
Ubuntu-FF:
File Execute permission off by default.
Lots of ppl looking for vulnerabilities and huge pressure to fix them ASAP.
Not the target of most exploit code.
FF no ActiveX
Bottom line is trust and openness. But if anything it looks like I gave MS too much credit - A WHOLE YEAR!
WTF.
"mostly operated by legitimate organizations based in China. "
WTF??!! There are legitimate organizations in China??
Surely it aint so. I thought all Chinese organizations were government run and operated with turning out the cheapest product for the masses as the bottom line? Lets not forget the espionage angle as well. And the hacking. And the farming. And the oppressing of their own citizens.
I seem to remember that when M$ proposed the ActiveX "architecture", every unbought security expert threw up their hands in horror, screaming "DON'T DO THAT".
But M$ did do that, proclaiming (as always) that it was "what their customers were demanding", and that the benefits outwieghed the risks.
Permanent vulnerability was what their customers were demanding, clearly.
Well, it is Sastan's Spawn, isn't it ??
This reminds me of an aquaintance of mine; who AFTER getting nabbed for driving around in a stolen car for several days - he told the police that he wanted to report that his car had been stolen.
The copper said, "Surely you jest"......
Microsoft's wizard patches and "strong security" settings and all..... Microsoft is like having a 1000lb gorilla at the front door, while all the sneak thieves come in via the back door and the side windows and cellar, and they stick a gun up it's arse and pull the trigger..
It's security dept is run by 8th grade drop outs..... and the tech support is run by "off shore call centers".
After years of using really shonky microsoft OS's and software, and now having personally experienced just how EASY it it to have a system totally walked over by malware, I now REFUSE to have XP as an operating system on ANY net connected PC.
Making a Fixit available is no bleedin' use! Outside of carefully managed coporate environments, what proportion of the XP user base do you think will have heard of this problem and what proportion of *that* do you think will have taken the trouble to seek out and manually apply the fix?
If this is safe enough to release as a Fixit, it is safe enough to release on Windows Update, where it will be applied to a far wider user base and might actually do some good.