The IE exploit that allowed the Google hack? MS knew about it IN SEPTEMBER

[thewayne]

From TFA: Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Linux and Mac have forced you to use Sudo to access low-level stuff for quite a while now, most Windows home users, prior to Vista, have been running as local admin, and were very vulnerable to this. Vista and Win7 made a lot of improvements in this area, but there are still far too many compromises possible.

http://www.wired.com/threatlevel/2010/01/microsoft-zero-day-flaw


In other news, Microsoft released a patch for this particular exploit.

http://www.pcmag.com/article2/0,2817,2358284,00.asp

http://tech.slashdot.org/story/10/01/21/2135226/Microsoft-Patches-Google-Hack-Flaw-In-IE?art_pos=17

Comments

[silveradept]

Sudo is an excellent thing, one that we like much. Why doesn't Windows use some sort of equivalent thing? Are they running too many things that need administrative access just for user tasks?

[thewayne.livejournal.com]

Part of it is developers who write code using admin access, the code then assumes that the end users will have admin access to their computer which is a huge IT no-no. We don't even like giving people Power User privileges in Windows.

I don't know how much of the problem is the difficulty of overcoming the inertia of supporting 16- and 32-bit code, or how much is marketing/C-levels driving release dates. More than a little bit of both, I imagine. Marketing pushed to get Vista out the door, and look at how much grief that caused.

Microsoft, and most software companies for that matter, seemingly have never seen the commercial: 'We will sell no wine before its time.'

I think they live by 'The perfect is the enemy of the good', or in their case, the stable and secure is the enemy of the *meh*.

It was really a matter of convenience. When I was playing World of Warcraft on a Windows box, I had to sign on as admin to load any patches. Very inconvenient. Now multiply that by the amount of crap most people have on their systems.

[silveradept]

...And you may as well just be running your admin account all the time. Got it.

I do think marketing determines when products get released, instead of developers - I wonder how many Service Packs could be avoided simply by waiting until the developers were ready to release...

[thewayne.livejournal.com]

The problem is that if a project is left strictly to the developers, they may never say it's good to go. It takes good management to hold the developer's feet to the fire to get the product out the door, which is the need for measurable milestones in the project plan. The other problem, which is more Windows specific than Mac (which is not to say that Mac OS and hardware is flawless) is the nigh infinite combination of hardware, OS version, OS updates, and software and all their interactions. One of the things that I find quite amusing is to see how long it takes the first patches to come out for a new product, Windows or Mac. Mac OS-X doesn't have as many OS patches because Apple is fanatic about controlling the hardware.

[silveradept]

True. Although it seems like the Linux community is reasonably good at making their OS work with the infinite possibilities of hardware, but then they're not as concerned with proprietary information getting out. If OSX were as popular and had as many things written for it as Windows does, then maybe they'd have the same sort of problems. Maybe Intel Macs have some of those?