Microsoft Patches IE Flaw Used in Google Hacking
Microsoft has known about Internet Explorer bug from Google Hack since September 2009.
A critical security flaw in Internet Explorer 6 played a role in the hacking of many top tech firms, including Google, which lead to the current drama between the U.S. search giant and China.
Microsoft yesterday released the update that should patch the hole in Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. Those who have Automatic Updates enabled should be able to find the update through that means, otherwise it can be downloaded here.
Interestingly, Kaspersky Labs Threatpost reports that Microsoft learned of this security hole back in September 2009 and planned for a patch in February 2010, but the company had to accelerate its plans in light of the recent hacking of Google.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
-
SAL-e Security by obscurity Security.Reply
When we are going to learn the lesson? Probably never!
In this case I am more mad at Kaspersky for keeping quiet for more then 3 months. They just enter into my black list. -
edilee Why are "top tech firms" still using Internet Explorer 6 LOL. Guess they still using 386 machines too?Reply -
JD13 Systems administrator asleep at the wheel...Reply
Is it better to find the flaw & report it right away or wait until you have a patch then tell everyone? -
maximus20895 Yet another reason with Firefox wins and IE is horrible.Reply
Interestingly, Kaspersky Labs Threatpost reports that Microsoft learned of this security hole back in September 2009 and planned for a patch in February 2010
So let me get this straight, They knew about it in September, but purposely put it off until four months later? Why wouldn't the fix the flaw ASAP? -
dravis12 SAL-eSecurity by obscurity Security.When we are going to learn the lesson? Probably never!In this case I am more mad at Kaspersky for keeping quiet for more then 3 months. They just enter into my black list.Reply
It doesn't say that Kaspersky knew that there was a problem in September, only that Microsoft was aware of it. How is that Kaspersky's fault? -
SAL-e dravis12It doesn't say that Kaspersky knew that there was a problem in September, only that Microsoft was aware of it. How is that Kaspersky's fault?Ok. My assumptions were:Reply
1. Kaspersky found the bug.
2. Kaspersky privately reported the problem to MS.
3. MS and Kaspersky, using security by obscurity, took more then 3 months to release the knowledge and fix for the problem.
If you read the MS security bulletins as I do you will notice that more then 80% of the problems are privately reported to MS and only small part of them are discovered by internal audit. That is why I made those assumptions.
But I see your point. From the information provided by the article there is other possibility that Kaspersky learned about the problem from MS and they are out raged that MS took more then 3 months to fix the problem.
Thank you for correcting me. -
spectrewind ethanolsonMicrosoft said everyone should ditch IE6. Listen to them!Reply
As has been pointed out in many other threads, not every business has the money/man-power to just deploy software updates like this. In a production environment where IE6 is supported for web interfaces, but IE7 (or higher) are not, it makes more sense to continue using IE6 with a few expected infections than to pull everyone forward to the current IE and cause a web-based application to cease to work.
Some will point out that the web application should be upgraded. Again, planning, money, and man-power decide this, and it generally needs to be tested prior to roll-out.
Dealing with on-occurrance virus infections is easier, given this, when you can just re-image a machine from a known-good config.