Microsoft is now shedding a little more light on the zero-day XML vulnerability. It seems some Hong Kong-based pornography sites are dropping the trojans Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ on unsuspecting PC users. This in addition to exploits discovered on a popular Taiwan search engine. The details are here. A release to patch this vulnerability is to be released today.
(BTW I wonder what that job is like – “Just checking on potential viruses chief”) I digress – really I appreciate all the MS team does to keep us in the dark keep us up to date on this serious security flaw in every instance of that little blue E on all the desktops in the world. I mean if Hong Kong porn is not safe, then who is…?
All kidding aside can we stop the Patch Tuesday nonsense? We now have a second “out of band” update this year. Hackers are now celebrating “Exploit Wednesday” - look it up. Some environments take weeks to approve these type of updates, even emergency ones. I bet there are plenty of steamed folks out there about this little escapade. Reports say this XML exploit started the day after the last regular patch.
I know things get exploited – fine. And don’t start with the Mac and Linux tripe. It’s just a fact that everything can be pwned. I just have issues with the notification and resolution. How you deal with it is what really determines how protected an organization is. Patch Tuesday must die. It’s like putting a sign on your lawn that says, “I am not home from the hours of 8am-530pm”. Let’s put the call out today to put a nail in this thing. Stop Patch Tuesday. We need updates as they happen. 30 days is too long think about it. Think about all the little vulnerabilities that don’t get the press. Hacker releases exploit on Wednesday, if it gets found, it might make the next round of patches. IT gets the update, tests on systems, releases to production – That could be 6 weeks of password-stealing, PC Zombie fun.
NOTE: I know there are crews at MS that have busted to get this thing identified and fixed – Thank you. Again, I just don’t think the announcement strategy is working. I know I will get some flames for this and some people who agree. If someone has a better way, then speak up.
The Zero-day XML vulnerabilities once reported to only be affecting IE7 targets are now prompting warning from Microsoft to its customers across all supported versions of its Internet Explorer Web Browser.
http://www.microsoft.com/technet/security/advisory/961051.mspx
Workaround centers on setting Internet security settings to high and disabling the Ole32db.dll via ACL - not an end user-friendly operation. Apparently the noted attacks have predominantly been noted against IE7 and on Chinese sites. It exploits the way IE handles XML. The exploit could potentially be used to access several types of sensitive data, however thus far it is only reported to be stealing passwords for computer games.
There are reports that Microsoft is considering fixing the flaw through an emergency software patch outside of the standard “Patch Tuesday”.
Now is a good time to give Google Chrome a try.
Lofty goals are important. Changes in the technology continuum create a better experience for everyone. No doubt about it. Things like the rise of Google, Youtube, Ebay, and so forth are all examples to that.
Something new comes along, some folks make money, a leap in technology is made and everyone plays catchup. And then we are all better off.
So let’s talk about this Chrome business. Now, just because a browser is better doesn’t mean people will use it. The only thing that will change Internet Explorer’s dominance is knocking Windows off the desktop. Don’t hold your breath.
I have been a Firefox user for years. I use IE when I have to. I love the flexibility, quickness, the tabbed browsing, extensions, etc all that stuff that makes it a 100X superior browser to Internet Explorer. And I have tried to get so many people to change over. Technical people, non-technical people, you name it. The bottom line is Internet Explorer is good enough. There are enough new features being released in IE that few but the technically elite will bother to change. I am also betting that most people that switch to Chrome will be Firefox users at least at first.
What will undeniably happen is that all the browsers will keep pace as well, transforming the web as we know it in the long run. Chrome and Firefox need Internet Explorer and vice versa. At the root of it all is a focus on Google Chrome to be the platform for their web-based Apps. We will have to see if this incentive along with the technical prowess of this browser is enough to turn the tide.
So give Chrome a whirl, know this is a first version. Some things will come up as Alex Lewis has mentioned, but they can and will improve. But let’s not get ahead of ourselves and proclaim this will knock Microsoft’s browser out of the box. Maybe with steady improvements and some marketing or a tie-in with an Android-based phone revolution, we will see something significant in the long-run. This is certainly significant news and it could be one piece to a grand story that remains to be told.