quote:
Microsoft issued a "critical" security alert about a hole in its Internet Explorer browser that could allow hackers to use an outdated Internet protocol to seize control of people's computers.
As previously reported, the exploit uses Gopher, an all-but-obsolete Internet protocol for fetching data from remote computers. Finnish security company Online Solutions uncovered the vulnerability May 20 and alerted the public last week.
But the threat is much worse than first revealed by Online Solutions. The hole also exists in some Microsoft server products. Microsoft deemed the threat critical for client computers running Internet Explorer 5.01, 5.5 and 6.0 and for Internet or intranet servers running Proxy Server 2.0 or ISA Server 2000.
In the service bulletin, issued late Tuesday, Microsoft noted that older versions of its server products could be vulnerable, but the company said it didn't do any testing "because previous versions are no longer supported." Likewise, older Internet Explorer versions could be vulnerable. Microsoft does not offer fixes for these older versions.
The problem results from an "unchecked buffer in the code which handles information returned from a Gopher server," Microsoft explained in the security bulletin.
This is utterly pathetic and totally laughable!
If this code had been open source, how long do you think it would have taken before somebody had checked it and patched it? Microsoft only offers fixes for newer versions of the products, why? no good reason except marketing, how difficult could it be if they have a fix for some versions, to make one for other versions?
Plus, it's gopher for gods' sake! it's hardly some new vulnerability that has just hit the computer world! ridiculous.
And because they have no shame they'll still bleat on about how corporate closed source bug fixes come reliably quickly, and how you really need a company to know the code, but keep it from the users since that's the best security model.
BALDERDASH i say.