As Yogi Berra said, it’s like deja vu all over again. If you don’t follow any of the links in the next paragraph, it reads like the WMF exploit of two months ago, but it actually is the latest Internet Explorer nasty. Here’s the plot:
There’s a gaping drive-by Internet Explorer security exploit that cropped up without any prior warning and is now appearing all over the Web. Microsoft unhelpfully says don’t surf in any sleazy areas and we’ll have a patch next month on our regularly scheduled Patch Tuesday. Commentators note that with hacked web servers, exploits are appearing in the nicest neighborhoods and as a result, security companies are coming out with their own patches (, ) of which Microsoft disapproves. Nonetheless, Microsoft says they may well ship their own patch early if things look really, really serious.
This exploit has somewhat less potential for damage than the one of two months ago because simply turning off Active Scripting will immunize those clever enough to know to do it and to know how, but it leads one to wonder how many times we’ll get to relive this story. Robert McMillan reports at InfoWorld that the point isn’t lost on Microsoft, but they claim they are hard pressed to provide fixes any faster citing quality and compatibility concerns among other reasons. One quote I liked:
Microsoft’s practice of holding security fixes until the second Tuesday of each month, called “Patch Tuesday” by administrators, can sometimes hurt home users because they may not have the benefit of the “layers and layers” of protection that are typical in corporate environments, said Todd Towles, a security consultant based in Austin, Texas.
“In the past, I wouldn’t have a problem with the Microsoft delay, but this is happening too much,” he said. “Microsoft waits for Patch Tuesday to make corporate patch management teams happy, but this is only hurting the millions of home users that live at a higher security risk.”
And that’s the nut. It wasn’t so long ago that Microsoft patches were delivered “as needed” on what seemed to be a fairly timely basis, but the monthly “Patch Tuesday” was instituted to regularize the process and channel the apparent flood. I can’t believe that the Microsoft teams have really gotten any slower. Would it really be more disruptive to have a two tier system with the mundane patches coming on one Tuesday a month and the really serious ones coming as needed? That’s effectively what’s happening anyhow when patches get released early as was the one for the WMF exploit two months ago. As it stands now, it looks like Microsoft is being dragged unwillingly to participate.