Incorrect. Microsoft is getting the shaft because they seriously screwed up. This is the worst regression in a security patch since MS00-086 *six years ago*. There's simply no good reason why this was missed -- it would've been readily obvious to a QA tester who ran the patch through live browsing on any of thousands of web sites. Simply compatibility testing would've revealed this failure if the test regime for the older product (IE 6.0 SP1) was decent.

There's a perfectly good excuse not to patch -- you go from dealing with vulnerabilities where the amount of in-the-wild knowledge is low to this issue, which is so trivially exploitable and easily identified that someone at Microsoft needs a good slap in the face.

Also, Microsoft chose NOT to communicate this issue to the public. They were going to continue passing off this issue as a "crash", even when they knew otherwise. That is MISREPRESENTATION, and it's what Microsoft has been hammered on by myself and others before. Further, when eEye did disclose the issue, Microsoft accused them of being "irresponsible".

I don't know how you get anything positive about this for Microsoft. MS06-042 and the resultant handling was a complete f---up on all counts -- one that reminds me of the 2000-era Microsoft. Keep in mind that they've had major QA problems with three patches in the last four cycles, now: MS06-042, MS06-040 and MS06-015.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11408/34020#34020