Microsoft Patches VML Vulnerability 130
Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.
Re:Firefox not vulnerable because VML not supporte (Score:3, Insightful)
Could this have something to do with... (Score:5, Insightful)
Re:Not a bad turnaround (Score:5, Insightful)
The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.
That way they are more likely to have it expand for an entire month before MS patches it and messes up their fun.
Security researchers generally want things secure. Virus/Worm writers don't.
Probably not (Score:5, Insightful)
You might not agree with the policy but that's how it is, and there are reasons for doing it that way. People already whine about patches breaking systems when at present it's an extremely rare occurrence (in all the cases I've encountered, said system was spywared and that was the problem). If they rushed patches out without testing and they ended up breaking things, it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.
We are dealing with non-technical users here, remember. A patch can't include a page of instructions of things you need to check first, nor can it be assumed that if it causes a problem the user can troubleshoot and fix it. It pretty much has to work straight off, and has to do so on literally tens of millions of permutations of software and hardware configurations.
Personally I'd like to see a compromise where they'd release an unofficial, untested patch for power users as soon as they could and the full patch later after testing. However the likely problem would be the unofficial patch would get in the wild, people would tout it as the official MS patch, something would go wrong, and they'd get blamed anyhow.
Re:Not an issue for some (Score:2, Insightful)
Re:XP SP2 problems (Score:2, Insightful)
The only trouble I am seeing is why it has taken you so long to put SP2 on [some of] your machines.
It's NOT! 10/10/2006! (Score:3, Insightful)
Quietly? (Score:2, Insightful)
Re:Not a bad turnaround (Score:3, Insightful)