La vulnerabilità in questione riguarda Internet Explorer: può essere sfruttata creando una pagina HTML che, una volta visualizzata da MSIE, può estrarre ed eseguire codice "maligno" sul computer vittima.
Questa vulnerabilità era stata scoperta proprio da eEye Digital Security circa quattro mesi fa. Il 20 agosto Microsoft aveva rilasciato una prima security patch, poi ridistribuita in forma modificata il 28 agosto in quanto nella versione originale poteva, in presenza di determinate circostanze, provocare a sua volta problemi (sic).
Ora secondo eEye Microsoft dovrebbe preoccuparsi di distribuire una terza versione della patch, in quanto quella attualmente in circolazione non funziona:
The patch appears to be due for yet another rerelease because it simply doesn't fix the vulnerability it is supposed to, eEye said.eEye non manca di porre l'accento sulle responsabilità di Microsoft:
Marc Maiffret, eEye's chief hacking officer, said the vulnerability is particularly critical, because it doesn't take a lot of effort to take advantage of it.Fonte: News.com.
"It's pretty serious just because it's so easy to exploit...it doesn't require someone to know how to write buffer overflow exploits or anything like that, " he said.
Maiffret says Microsoft should have done a better job to begin with. "How do you take four months to fix something this simple and then not fix it correctly? " he asked. "It seems like they are taking security seriously...(but) at the same time, I don't think they're really investing."
The lack of suitably skilled security engineers within Microsoft is one reason, Maiffret said, this incident - described by the researcher who discovered the flaw in the patch as a
"pathetic oversight " - has occurred.
"A lot of it comes from having the right people in-house, " Maiffret said. "They have some very smart guys in there, but they definitely don't have enough."
Nessun commento:
Posta un commento
Nota. Solo i membri di questo blog possono postare un commento.