This is one of the reasons I get bent out of shape with the length of time that vendors take to address bugs.
From The Register:
Microsoft was aware of a critical vulnerability in an Internet Explorer component at least 12 months before attackers started targeting it in lethal exploits that take full control of end-users’ PCs, a member of its security team said Wednesday.
The disclosure comes as attacks targeting the MSVidCtl ActiveX control vulnerability have increased exponentially. On Monday, online ads distributed by through the Giant Realm network on popular gaming websites began including code that exploits the bug, according to security firm ScanSafe.
I would be interested to hear Microsoft’s response to this allegation that was leveled.
Strangely enough…
Microsoft’s Reavey defended the decision to withhold an advisory until Monday, explaining that any fix must meet a demanding balancing act that ensures it is thorough enough to block a wide variety of related attacks while narrow enough that it doesn’t cripple crucial parts of the software.
The spin. I loathe the spin.