Tuesday

The Microsoft IE 0-day vulnerability part 3: an out of band patch arrives tomorrow



While some quotes in the media (bbc.co.uk) have been misunderstood (slashdot), making everyone think Microsoft urged users to switch to other browsers. This wasn't exactly true. But a lot of outside security experts are giving this advice.

Let me remind you that Firefox was voted most vulnerable software in 2008 (Zdnet) and that Opera just released Version 9.63 to fix several serious security vulnerabilities (ZDnet). Nothing is perfect.

I don't want to start a flaming war, I'm still using Firefox + Noscript myself and will advise other to do so. But good vulnerability and patch management (at home or at work) is as important as the choice of (browser) software.

But Microsoft did acknowledge the seriousness of the current security issue and announced that they will be releasing an out of cycle security bulletin tomorrow for the IE zero day. So you can now patch your workstations ASAP (if you haven't deployed other countermeasures)!!!

More information on
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

UPDATE: The irony. Mozilla also just released Firefox 3.0.5 (mozilla.org) which also includes critical security fixes for XSS and JavaScript privilege escalation issues.

Previous posts:

(Photo under creative commons from wader's photostream)

No comments: