Microsoft Patches IE in 3 Days While Heart Bleed Persists
At approximately 10am PDT on 5/1/2014, Microsoft released an out-of-band update for the Internet Explorer/Adobe Flash vulnerability published in Security Advisory 2963983:
- Microsoft customers with automatic updates or Intune will not need to take any action, as the patch will be automatically downloaded and installed.
- Windows XP customers will also receive the update despite the fact the 14-year-old technology is no longer supported by Microsoft.
- Join the bulletin webcast for this update at 11am PDT, 5/2/2014.
- See the Microsoft Security Response post by Dustin Childs for more information.
- Microsoft released this patch just 3 business days from discovery, while the Heart Bleed vulnerability persists in over 20,000 of the top 2 million Linux/Unix websites after nearly 30 days.
On April 28, 2014, Matrixforce posted Facts of Internet Explorer Vulnerability 2014. Contrary to popular misconceptions, the Secunia Browser Vulnerability Report shows Open Source browsers like Firefox and Chrome have over twice the vulnerabilities of Internet Explorer. The Department of Homeland Security couldn’t issue an advisory against using Linux/Unix websites at risk with Heart Bleed, because it was difficult for users to determine the platform and there are dozens of manufacturers. Unfortunately, unlike Microsoft there is no automatic update for Linux/Unix. If a similar Adobe Flash vulnerability emerges for those platforms, then it would likely take much longer to eliminate as evidenced by Heart Bleed bug still persisting.