They're very much customer-driven, just not by the customers you might think. They're "driven" by large corporate customers that think of IT as a non-necessity, a resource. They also have resources to throw behind occasional risk management in the face of a REPORTED zero-day threat. Publicly-known exploitation is *NOT* the worst-case for these companies. Accordingly, they'll put up with decent response and virtually zero preemptive mitigation.

Further, I think this vulnerability shows how flawed the "they should audit and review, and not work on new code" argument is. Developers of other technologies (i.e., wine) missed the same erroneous feature in their own implementation of Windows Metafile support.

Further, in a codebase as large as that of Windows, being secure "for the most part" may mean leaving several dozen holes. An attacker finds one before you do... and you're just as hosed as you would be today.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11368/32952#32952