“They chose to address only one part of the problem,” said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. “They should have seen this one coming.”
This marks the third time in a month that Microsoft has had to play catch-up to researchers’ public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims’ computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.
I’ve suggested on more than one occasion that perhaps it’s time for folks to make the switch to Mozilla/Firefox for their browsing and it was major headlines when the U.S Government suggested the same thing. Adding insult to injury was this article by Paul Boutin on MSN’s Slate about how Firefox trumps IE and why he uses it. That had to hurt, though I give Microsoft credit for allowing Boutin to speak his mind on their site without fear of reprisal. It looks like some folks are taking these suggestions to heart as Wired reported that there was a spike in Mozilla downloads after the CERT announcement.
Microsoft is trying to reassure folks that security is it’s top priority and has acknowledged this latest problem and promises that more fixes are coming, but part of the problem they’re facing is the fact that these new attacks take advantage of multiple vulnerabilities. Problems which were considered more or less harmless by themselves, but when combined allow hackers to compromise your system. A lot of them are within the ActiveX system and it’s leading some to question whether ActiveX should be yanked out of IE completely. Not sure how feasible that is considering that it’s critical to sites such as Window’s Update, but it definitely looks like something Microsoft needs to go over with a fine-toothed comb.