Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Finds Security Flaw In Google Chrome Frame

Posted by timothy on from the they're-the-experts dept.

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

5 of 214 comments (clear)

  1. Re:At least they patched it by Tim+C · · Score: 5, Informative

    Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

    I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

    --
    It's official. Most of you are morons.
  2. Re:Expected by Ginger+Unicorn · · Score: 5, Informative

    At first i thought the "google has hurried out a patch" in the summary was a quote from MS glibly dismissing the notion of fixing the problem in a timely manner, but looking through the article it seems this is a remark made by the submitter.

    --
    (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
  3. Re:At least they patched it by Nerdfest · · Score: 3, Informative

    The exploit usually comes before the fix, but not always. Firefox frequently deploys fixes for security hole they've found themselves where not even a 'proof of concept' exists. Many other applications are the same.

  4. Re:At least they patched it by Anonymous Coward · · Score: 3, Informative

    Microsoft will release a patch "out of band" (not on patch Tuesday) when it is an emergency critical type issue. The others, they release on the same day so that corporations get the benefit of a single set of patches to look for and home users get all the patches with one reboot instead of a dribble of patches over the month, some of which require a reboot and some of which don't.

  5. Delayed full disclosure by tepples · · Score: 3, Informative

    Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.

    The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.