Rumors have been going on that Microsoft was already aware of a bug behind their browser, Internet Exporer (IE) since last year and yesterday, the company has confirmed it.
Mick Reavey, director of Microsoft’s Security Response Center, said that the company was already aware of the critical flaw in an ActiveX control since early spring 2008. It doesn’t mean however, that the company did not immediately address the situation.
Reavey said that investigations on their end started as soon as the vulnerability was reported to them.
So why then did it take over a year to fix it? As according to John Pescatore, Gartner’s primary security analyst, taking more than a year is “not an acceptable timeframe” for a company the size of Microsoft.
According to Ryan Smith, one of the two researches who reported the bug to Microsoft, “The nature of this flaw is sort of unique,” he said. “The mechanics of this are sort of unique as well. It was those unique qualities that required more time than Microsoft would normally need.”
Reavey’s defense also makes sense. “We always want to give customers a complete solution,” he said. “If we had tried to do something earlier, it wouldn’t have been as clean for customers.”
A patch will be released by Microsoft on July 14 “that will block all known attacks”.
Keep your fingers crossed guys.