Slashdot posting: Several Critical MSIE Flaws Uncovered. An anonymous reader writes “Several flaws have been uncovered by security firm eEye in Microsoft’s Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation’s prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws.”
Of course, if Microsoft can come up with a patch, successfully test it against the many configurations it supports, and feels the threat of the exploit actually appear in the wild, I would expect them to release it. With Mozilla having delivered several quick turn-arounds on security patches, Microsoft has their work cut out for it: a quick response is required, but an admission of insecurity, and a huge liability if it fails (imagine a patch the brings down a large number of machines). If the release is not quickly forthcoming, Microsoft has an opportunity to downplay the threat, especially if it is more theoretical than something actually found in the wild. Playing the numbers game, if the release can beat out the exploit, Microsoft gets to claim they are taking care of their customers their best One Microsoft Way. But… if the exploit hits the street… if the exploit is nasty enough… another mess like Melissa or SQL Slammer will cost their customers millions of dollars of clean-up. Their customers have spent these millions before, and they will likely spend them again. But Microsoft plays a very dangerous game in dealing with security as a PR management process rather than a security issue to be dealt with out delay. Looking forward to learning more details on this problem, and watching Microsoft’s response.
Tracey Donvito