IE Flaw Puts Windows XP SP2 At Risk

Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."

What is THIS?!

[the_skywise]

A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.

What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"

An ounce of prevention?

[shoolz]

We see this cycle of exploit > patch repeat itself ad nauseum. Microsoft seems to react to every exploit or windows security failing by

• releasing a patch after the report of said vulnerability
• buying an antivirus company
• buying an anti-spyware company

Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.

What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?

Open source enhances security of MSFT's customers

[FlorianMueller]

I run various Microsoft programs (Windows, Office, VS.NET, but IE only when it can't be avoided), and still my biggest hope for better security with those Microsoft programs is on increased competition from open source.

Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.

Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.

The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.

If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.

Re:Is The Honeymoon Still Over?

[TheRaven64]

- Any software written in unsafe languages (notably C) is bound to contain vulnerabilities

I would advise you to read this essay. Being written in an unsafe language does not intrinsically make something insecure - it just makes it a bit harder to write secure code. Likewise, a bad coder can write insecure code in a safe language.

Firefox vs. IE

[cpu_fusion]

Just a reminder as the FF vs. IE flame wars rage:

Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.

I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.

Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history ...