Wow…I hope Mr. Bill Gate won’t be mad at me or Gadgetell for asking this kind of question. I know Microsoft has an army of those security consultants but I am not sure what do they do. You might be wondering why I asked. I had just read the latest Microsoft security news at Mobile Tech Today by Tim Gray October 6, 2006 10:56AM and here is what it says:
Discovered by Sunbelt Software, the vulnerability involved the way that the browser handles Vector Markup Language (VML) graphics. Reports had emerged that hackers were exploiting the flaw by creating Web pages could download spyware or keyloggers onto a user’s system.
Did you get what I am trying to convey here? A lot of Windows security vulnerabilities are discovered by third parties, not Microsoft security consultants, at least that is what I am made to understand from my limited reading and knowledge. Even if Redmond does discover a weakness in their software, they just quietly develop the patches and make them available for download. A good public relation exercise is definitely in practice here.
More often than not, those third parties are….yes, your guess is as good as mine…hackers. By the time the news get to Microsoft, the damage is already done. I bet, Microsoft engineers then had to stay overnight to come up with fixes and quickly put up the patches for download.
The vulnerability that was discovered by Sunbelt Software mentioned in the report is related to the way Microsoft IE browser handles VML. I checked Windows Security Update webpage and found out only last month, published 12th September 2006, there was a list of patches already issued supposedly to cater for the same VML vulnerability.
Microsoft released a critical security update today that addresses a remote code execution vulnerability that exists in the Vector Markup Language (VML) implementation in Microsoft Windows:
• MS06-055 – addresses a vulnerability in Microsoft Windows
As part of Microsoft’s routine, monthly security update cycle, we released the following 3 security updates on September 12, 2006:
• MS06-052 – addresses a vulnerability in Microsoft Windows
• MS06-053 – addresses a vulnerability in Microsoft Windows
• MS06-054 – addresses a vulnerability in Microsoft Office
We also re-released the following 2 security updates on September 12, 2006:
• MS06-040 – addresses a vulnerability in Microsoft Windows
• MS06-042 – addresses a vulnerability in Internet Explorer, a component of Windows
Is Microsoft telling us that the previous patches didn’t work? Which brings another question….how stringent is their quality assurance testing with regards to security? I will let your thought runs wild on that.
In the mean time, don’t forget this coming Tuesday, 10th October 2006, you have to run your Windows update again. Happy downloading….!
Read [Mobile Tech Today]