So Microsoft has known about the IE vulnerability (CVE-2010-0249) since last September.
So, let me get this straight, MS was informed about this vulnerability by a security researcher (Meron Sellen) last August, and it’s sat in the Microsoft Security Response Center’s queue to be fixed until Google got hacked, and then they checked their queue to see if they knew about it?
Even though this was acknowledged in September, and MS planned to ship the patch in a cumulative IE update next month, so that’s 6 months, really? Wow, I thought that Adobe had it tough with not having enough developers to patch
This really makes me question the worlds largest OS developer, I have to say. The following questions come to mind though.
- If this was passed to them last September, do they have that many bugs in their code that they haven’t gotten around to this one yet?
- What happened to MS’s secure development program if something like this can get missed?
- As it’s the fault of a software development house that another 33 companies were hacked, will any legal action be taken against then for this?
- Will/Could Google sue MS for damages if they do decide to pull out of China because of this hack?
Just random thoughts, but hey…