reports “ . BOSTON – Microsoftæwarned customers about computer code that exploits holes in the company’s software and blamed security researchers for publishing proof of concept code to trigger the vulnerabilities, which was then turned into working attacks.”
This isn’t about shooting the messengers. It’s common practice to notify vendors of a flaw when you find them and give a reasonable grace period before publicly releasing sufficient information to exploit the flaw, to give the vendor, Open Source or Closed, a chance to distribute a patch. In this case, the patches are already out there, as I blogged on Wednesday. It just takes a while for a few million people to patch. Most of us like to wait to hear if others discover problems with the patches.
However, it was Microsoft that publicized the vulnerabilities, and you can bet that others had already duplicated the exploits, based on the description Microsoft provided, as well as the binary patches that pointed to the affected code.
This still points back to Microsoft. Downloading and displaying a graphic should not allow remote code to be executed under any circumstances. A deep problem with the Microsoft operating system security model is exploited once again.