On March 1st (my birthday, as it happens) Microsoft published a security advisory about yet another vulnerability within their products. This time it concerns Windows 2000, Windows XP SP3, Windows Server 2003 and Internet Explorer. But their attitude about it is – to my mind – all wrong.
They were critical of the way the vulnerability was notified. The researcher who made the public notification, Maurycy Prodeus, did so on 26 February.
Yet if you dig a little deeper, you discover that Microsoft are being disingenuous. According to Maurycy’s own report, he notified Microsoft on February 1, almost a full month earlier.
So what they’re really miffed about is that they didn’t get to hush it up. Either that or they should be conducting a massive internal inquiry to discover why nothing was apparently done for three weeks (we can only judge them by their actions: i.e., none, apparently), and then when the information became public – a service to the users of Microsoft products – they managed to respond within a weekend.
The vulnerability revolves around pressing the F1 key when prompted by a specially crafted dialog box generated by a malicious website.
Those dialog boxes are getting be a real liability IMHO (see Déjà Plagié).
The timing is interesting, because I had planned to blog about the ongoing dismantling of major league “bot nets” (the largest contains 12.7 million PCs) – which I will do, shortly – and the growing evidence that current approaches to computer security are continuing to fail. Crime is paying – bigtime.