Monday, November 21, 2005

Responsible, Irresponsible

Take a look at this line from this security advisory issued this evening by Microsoft in response to today's today's zero-day exploit drama:

"This issue was originally publicly reported in May as being a stability issue that caused the browser to close."

That's essentially an admission from Microsoft that the vulnerability was reported six months ago but remains unpatched. Whenever I ask Microsoft about these old denial-of-service bugs, I'm always bothered by the flippant dismissal of these issues.

To paraphrase a typical Microsoft response: "All it does is close the browser. You open a new browser session and that's that. No vulnerability to see here."

Well, look what we have here. Someone figures out that it's not simply a denial-of-service flaw. In fact, it's a nasty code execution issue. Remember, this is something that Microsoft has known for six months. Isn't that more than enough time for Microsoft to figure this out themselves?

Hard to be sympathetic to Microsoft's pleas for responsible disclosure when their own actions here are incredibly irresponsible.