Yeah I already ripped my TAM a new one on this. They better have these patches ready for Tuesday...
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Rob Bonfiglio [mailto:[email protected]] Sent: Friday, July 10, 2009 10:08 AM To: NT System Admin Issues Subject: Re: IE zero day exploit Microsoft new for 1+ yrs of this flaw It won't be. They say so in the article. On Fri, Jul 10, 2009 at 9:55 AM, HELP_PC <[email protected]> wrote: And who will assure us that Tuesday patches will be really definitive ? GuidoElia HELPPC ________________________________ Da: Rob Bonfiglio [mailto:[email protected]] Inviato: venerdì 10 luglio 2009 14.56 A: NT System Admin Issues Oggetto: Re: IE zero day exploit Microsoft new for 1+ yrs of this flaw I'm not defending them....not knowing much about how the attack works it's hard for me to defend them; 16-18 months does seem like an excessive amount of time. But the fact that one of the discoverers of the vulnerability did kind of defend them in the article should be taken into account. This is a quote from the article: Although Reavey declined to get specific today, Smith, one of the researchers who reported the vulnerability, hinted at reasons. "The nature of this flaw is sort of unique," he said. "The mechanics of this are sort of unique as well. It was those unique qualities that required more time than Microsoft would normally need." Smith refused to criticize Microsoft for not patching sooner. "All along the way, they've told me how far things have progressed," he said of Microsoft's security team. "They would ping me every time they reached a milestone on the fix." On Fri, Jul 10, 2009 at 8:37 AM, Ziots, Edward <[email protected]> wrote: http://www.computerworld.com/s/article/9135370/Microsoft_admits_it_knew_of_critical_IE_bug_in_early_08?source=CTWNLE_nlt_dailyam_2009-07-10 You know this type of stuff really burns me up, they knew since early 08 of this flaw, and did nothing about it, to fix it and get a patch out. No they gotta wait till hackers start exploiting this on a mass scale, and then they start paying attention. Scary part is how many other exploits do they know about that could have system-compromise type payloads, and haven't done anything about it. Again another PR nightmare and another black-eye for M$ because of there lack of due-diligence, has put customers at risk. Now note the fix is supposed to be coming out Tuesday for the various reported flaws ( including the last 2 IE ones) but it's a little too late when the bad guys already have plowed through thousands of computers and websites, with there exploits, and now those machines are apart of botnets, that are probably behind the spamming, and DDOS/DOS of GOVT sites, which has been posted on ISC from SANS. Any thoughts folks? Tell yeah TAM's Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________________ From: Eric Wittersheim [mailto:[email protected]] Sent: Thursday, July 09, 2009 6:35 PM To: NT System Admin Issues Subject: Re: Trend Micro and IE zero day exploit hmm, makes me wonder if OpenDNS is offering something like this. I think I'll take a look. On Thu, Jul 9, 2009 at 5:07 PM, Devin Meade <[email protected]> wrote: FYI - If you have Trend Micro Office Scan and are using the web reputation feature, you are covered: http://us.trendmicro.com/us/threats/microsoft-mpeg-vulnerability/index.html "Trend Micro products with Web Reputation technology currently block malicious URLs associated with this exploit." -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
