I'm not defending them....not knowing much about how the attack works it's hard for me to defend them; 16-18 months does seem like an excessive amount of time. But the fact that one of the discoverers of the vulnerability did kind of defend them in the article should be taken into account. This is a quote from the article:
*Although Reavey declined to get specific today, Smith, one of the researchers who reported the vulnerability, hinted at reasons. "The nature of this flaw is sort of unique," he said. "The mechanics of this are sort of unique as well. It was those unique qualities that required more time than Microsoft would normally need."* *Smith refused to criticize Microsoft for not patching sooner. "All along the way, they've told me how far things have progressed," he said of Microsoft's security team. "They would ping me every time they reached a milestone on the fix."* On Fri, Jul 10, 2009 at 8:37 AM, Ziots, Edward <[email protected]> wrote: > > http://www.computerworld.com/s/article/9135370/Microsoft_admits_it_knew_of_critical_IE_bug_in_early_08?source=CTWNLE_nlt_dailyam_2009-07-10 > > You know this type of stuff really burns me up, they knew since early 08 of > this flaw, and did nothing about it, to fix it and get a patch out. No they > gotta wait till hackers start exploiting this on a mass scale, and then they > start paying attention. Scary part is how many other exploits do they know > about that could have system-compromise type payloads, and haven't done > anything about it. > > Again another PR nightmare and another black-eye for M$ because of there > lack of due-diligence, has put customers at risk. > > Now note the fix is supposed to be coming out Tuesday for the various > reported flaws ( including the last 2 IE ones) but it's a little too late > when the bad guys already have plowed through thousands of computers and > websites, with there exploits, and now those machines are apart of botnets, > that are probably behind the spamming, and DDOS/DOS of GOVT sites, which has > been posted on ISC from SANS. > > Any thoughts folks? Tell yeah TAM's > > Z > > > Edward Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + > [email protected] > Phone:401-639-3505 > ________________________________________ > From: Eric Wittersheim [mailto:[email protected]] > Sent: Thursday, July 09, 2009 6:35 PM > To: NT System Admin Issues > Subject: Re: Trend Micro and IE zero day exploit > > hmm, makes me wonder if OpenDNS is offering something like this. I think > I'll take a look. > On Thu, Jul 9, 2009 at 5:07 PM, Devin Meade <[email protected]> wrote: > FYI - If you have Trend Micro Office Scan and are using the web reputation > feature, you are covered: > > http://us.trendmicro.com/us/threats/microsoft-mpeg-vulnerability/index.html > "Trend Micro products with Web Reputation technology currently block > malicious URLs associated with this exploit." > > -- Devin > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
