Its been since October 2003 that Microsoft have started the tradition of releasing patches for its software products every second Tuesday of every month. The most recent of the series was June 9th which saw a record release of patches.
Looking on the bright side, quite a few patches have been fixed through this group release, but my question would be – how many users were vulnerable and prone to attacks before this date? Last Tuesday’s release had no less than 10 security patches including one for a critical hole found in Internet Explorer 8. This means that before this, everyone using Internet Explorer 8 was an easy prey for hackers. And what tells us that there aren’t more of such holes?
I’m pretty sure that the answer to the above question will probably come on Tuesday 14th July and in every second Tuesday of the subsequent months. Microsoft has been organizing hacking contests where a number of hackers from around the globe try to exploit any possible vulnerabilities in the software so that Microsoft could then have it fixed. Unfortunately, the above critical security hole was identified way back in March and Microsoft took 3 months to issue the fix. This means that during these 3 months, the flaw had been identified and could have been ‘made public’ – whilst IE 8 users were vulnerable.
Is your browser making you vulnerable?
What was the flaw?
Out of the 8 Internet Explorer Patches that were released, the most important one was to fix a hole which permitted remote code execution which was made possible when the user views a specially-crafted website. This meant that hackers would be able to run codes on the user’s machine (for their own intent and purposes) simply because the user viewed a particular website or websites.
What else was released?
Quite a number of other patches were released particularly revolving around Microsoft Office products Word and Excel. The flaw was similar to the above but the possibility of remotely running codes would derive from the user accessing a specially-crafted word or excel file – making it somewhat more difficult.
My concern as a user
Whilst I understand that no code is perfect and that patches would always be required, my main concern is that such flaw was quite critical and a user could easily fall prey to such attacks considering that some users view hundreds of website each day – why did Microsoft take 3 months to release it? If it was so critical as described, couldn’t they have moved away from their second-Tuesday of the month tradition and release it once the fix was completed in order to reduce the possibilities of the users falling victims of such attacks?
You just noticed another example of Microsoft’s disregard for the safety of their clients.
Unfortunately that’s the way that Microsoft works apparently. The thing is that we’re paying for this software and getting something full of bugs.
Imagine buying a car, and after 3 months you’re contacted by the supplier to get the car to the factory so that they install your seatbelts and airbag! This is what’s happening here.
That is very true but at the end of the day, why do people still use Microsoft Products? I am quite happy using open source as Operating System and Browser – and I must say that the vulnerabilities are much less and so are the patches, mainly because whatever needs to be fixed – its done before releasing!
[...] secured and that they are provided with the necessary tools to do this. My recent post about the Microsoft security patches released a couple of weeks ago, proved to be popular with the GamSec followers and as expected it raised [...]