Microsoft’s arrogance means lack of security for many shops
There is another vulnerability discovered in Internet Explorer that is actively being attacked by known exploits. Microsoft even acknowledges they are “still seeing only limited attacks”.
Websense is reporting that the number of sites taking advantage of this unpatched hole is over 200.
But Microsoft has chosen NOT to release the patch saying that “the IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers.”
So the IE team isn’t yet ready to protect its customers despite the fact that a fix is ready? What is the magic threshold of already compromised machines needed before I can protect my customer base? Why is it so important for Microsoft not to release an out-of-cycle patch? Why is Microsoft dictating the security of my network?
This is the reason I’m doing everything I can this year to implement security measures that do not force me to rely on Microsoft’s patches as a means of mitigating risk for my customers.
The timeline of this vulnerability is rather interesting:
March 22nd; Vulnerability disclosed
March 23rd; Exploit code discovered
March 24th; Detection signatures released for IPS devices
March 26th; Detection heuristics released for AV vendors
March 27th; Still waiting for a patch from the vendor…
March 27th; Some third party patches released
March 28th; Still waiting for a patch from the vendor…
March 29th; Still waiting…
It looks like part of my post was inaccurate. This blog entry clarifies it a bit, stating that Microsoft isn’t holding back a completed patch. They have in-fact not completed the patch at all.
So we’re now six days beyond public disclosure and are seeing third party patches being released but still no official patch from the vendor.
By Michael on 03.28.06 10:17 pm