BlogAllAlong

Slashdot posted a link to a washingtonpost article compiling the number of days IE6 had open exploit code with no fixes from Microsoft. The result is more than 9 months (284 days) of the year, the IE6 browser had known unpatched security flaws. There was also another 98 days without fixes to IE flaws that criminals were using to gain personal and financial data.

Could a customer sue Microsoft over his losses because of the lack of support for the browser? While Microsoft enforces Internet Explorer as the default browser in all it’s operating systems, this causes the majority of people to go with the crowd and use what’s already there. And with the results given from the article, I think Microsoft should be held legally accountable for the loss of millions of user data, and in the future, they have a choice of either removing IE from their system, or showing one of those scary warning signs they have to the user saying “We do not guarantee the confidentiality of the information you send and receive over the internet if you use our Internet Explorer” Just like what they did when they lost the lawsuit against Sun for licensing their own modified JRE.

Popularity: 11% [?]

A third MS Word code execution exploit has been posted that allows code execution on the victim PC by opening the infected word document. While Microsoft have not yet publicly confirmed the vulnerability, the United States Computer Emergency Readiness Team issued a warning in this regard. More on the story comes from eWeek.

Popularity: 7% [?]

Open Source PHP security specialist and member of the PHP Security Response Team, Stefan Esser have had enough, and resigned! The security expert says in his blog

“The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.”Clearly a very strong message sent in public about the spirit going inside the PHP Community. And what makes it worse for them, is that now security holes will no longer be hidden from public, rather security holes will be exposed in advance “For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories”, Stefan says.

This incident however is not the first of its kind. Back in July, PHP lead developer Jani Taskinen also left the team with what’s called cryptic message:

"Thank you all for the last 6 years or so. It has been fun
(sometimes) and many times not so much fun. Unfortunately
I have had enough and I don't want to be associated with
this project anymore.

I'm sure most people (the ones who matter) can understand
why. If someone doesn't, I could not care less. Take care.

Please do not reply to this email.

--Jani

p.s. Delete my CVS account. I have no use for it anymore."

The message does not give much details, but its enough to reveal the kind of low spirit and disputes going inside. Open Source is the strongest community if built on honest goals with a united team, but since thats all about it, and its non-profit, disputes like those can quickly break the backbone of it and bring the whole organization down to its knees. Specially with the rise of other alternatives, like Ruby.

Popularity: 10% [?]

Just one day after the zero day flaw in Word was announced, another zero day flaw has been discovered in Windows Media Player. The flaw resides in the WMVCORE.DLL library that handles .ASX files. Microsoft have not yet released a fix for the problem, and did not even report it.

Click here for the source and some details on how this flaw works, and how to protect yourself against it.

Popularity: 9% [?]

Microsoft have issued a security advisory regarding a newly discovered Word Zero-Day Attack. The attack infects all major Word releases by simply opening unsolicited attachments from both known and unknown source. Best thing to do know is avoid opening any attachments, even from legitimate source. The report came from Eweek with more details.

Popularity: 10% [?]