Microsoft patches last flaw discovered only to find out hackers have a work-around.

Do you remember that entry I put up a week or so ago about yet another flaw in Internet Explorer that had Microsoft suggesting folks turn off JavaScript? The flaw that Microsoft released a patch for last Friday to fix the issue? Seems there is still another flaw that can be used similarly to the just-patched flaw to accomplish the same goal:

Another Internet Explorer flaw found | CNET

“They chose to address only one part of the problem,” said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. “They should have seen this one coming.”

This marks the third time in a month that Microsoft has had to play catch-up to researchers’ public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims’ computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.

I’ve suggested on more than one occasion that perhaps it’s time for folks to make the switch to Mozilla/Firefox for their browsing and it was major headlines when the U.S Government suggested the same thing. Adding insult to injury was this article by Paul Boutin on MSN’s Slate about how Firefox trumps IE and why he uses it. That had to hurt, though I give Microsoft credit for allowing Boutin to speak his mind on their site without fear of reprisal.  It looks like some folks are taking these suggestions to heart as Wired reported that there was a spike in Mozilla downloads after the CERT announcement.

Microsoft is trying to reassure folks that security is it’s top priority and has acknowledged this latest problem and promises that more fixes are coming, but part of the problem they’re facing is the fact that these new attacks take advantage of multiple vulnerabilities. Problems which were considered more or less harmless by themselves, but when combined allow hackers to compromise your system. A lot of them are within the ActiveX system and it’s leading some to question whether ActiveX should be yanked out of IE completely. Not sure how feasible that is considering that it’s critical to sites such as Window’s Update, but it definitely looks like something Microsoft needs to go over with a fine-toothed comb.

2 thoughts on “Microsoft patches last flaw discovered only to find out hackers have a work-around.

  1. I don’t know whether to laugh, or cry.

    By the way, the wifey just stumbled past the den, getting out of the shower, and saw your face at the top of my computer screen.

    She says “Good Morning, Les”.

    She acts like you’re an unemployed friend whose been crashing on our couch for a year!


  2. I started using Firefox about a week or so before this IE stuff reared its ugly head and over all have been pretty happy with it.

    The only problems I’ve had are frequent inability to load pages, (I have to close the browser and re-open it to get a site to load, and my SpyBlaster doesn’t recognize it for protection. Thus far, I haven’t been able to figure out how to fix these issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.