Windows’ Gaping, Seven Month Hole

Quite a big hooha over this latest Microsoft vulnerability, and I readily ‘fess up to the fact that I didn’t really take this seriously. Seems like I wasn’t the only one.

But folk like Shawna McAlearney of SearchSecurity.com points out that the delay of 200 days between Microsoft being notified and their coming out with a patch is appallingly long. “If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a ‘drop-everything-and-fix’ thing resolved in a short period of time,” Shawna quotes Richard Forno, a security consultant, as saying. “Nearly 200 days to research and resolve a ‘critical’ vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products.” Strong stuff.

So what is all the fuss about? The vulnerability in question can, in theory, permit an unauthenticated, remote attacker to execute arbitrary code with system privileges: That means a ne’er do well could do anything they want in your computer. And while it hasn’t happened yet, to our knowledge, it’s only a question of time, according to Scott Blake, vice president of information security at Houston-based BindView Corp.: “We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation — it’s simply a case of when it materializes.”

Paul Thurrot, of WinNetMag, weighs in with his view, pointing out that the flaw is a very simple one: “attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago.”