evilrouters.net

According to “Proof-of-Concept Code Increases Risk to Computer Users: Windows, MSN Messenger and Office XP Users Should Install Current Security Updates Immediately“, “Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code. This generally accepted industry practice gives individual users and enterprise businesses time to test, download, and deploy security updates. Microsoft is disappointed computer users were not given a reasonable opportunity to safeguard their computing environments.”

Meanwhile, computer users everywhere are concerned about all of the unpatched vulnerabilities that still exist in Microsoft products many months after Microsoft has been notified about them. The InfoSec world is disappointed that Microsoft has not “given [them] a reasonable opportunity to safeguard their computing environments.”

On 13 July 2004, nearly 7 months ago, Microsoft was notified about this vulnerability and was given proof-of-concept (PoC) code that illustrated it. It took them nearly 7 MONTHS to release what should be a very simple fix. It was only AFTER Microsoft released their update that Rafel Ivgi of the Malicious Code Research Center at Finjan Software, Ltd. made public the PoC code. This PoC code was then modified into a working exploit by another person and that is now “in the wild”.