Code Security in Mature Applications *EXPLETIVE*
This is a big deal for Microsoft and people inside the company are doing all they can to find a resolution to this IE flaw. The issue surround this very legacy bug dating back to IE 4 (as far as I can tell) is that up until recently no one could really exploit this in a scalable way and and the sheer complexity of trying to patch something like this was daunting. The land of operating systems is hard place to have fun in if you are a hacker so they are now setting their focus on the gateways of the web. Since Microsoft is dominating in terms of market share here as well, IE is a natural target with all its legacy code, spaghetti and all.
I say spaghetti because ANY code maintained for such a period of time has code security issues. Not to deflect criticism to Linux, but see the comical graph below outlining the number of expletives in the source code. Even the Linux kernel has to deal with code cleanup. Code and architectures that made sense and were secure enough in one computing paradigm may not pass in future paradigms. This is where Microsoft has traditionally gotten hurt. There is a perception that Microsoft sacrifices security for progress and agility. The fact is that it is a balancing act and no one is ever completely secure. If we could all be completely secure than government wouldn’t spend billions on computer security every year. Things can get through the cracks, but when they do, rest assure that Microsoft will be transparent and forthcoming like they are with this vulnerability. Before you judge, judge your alternatives with the likes of Apple who flat out refused to patch their browser and ignored the issue completely.
That’s why when Microsoft tells you to upgrade your compilers to the latest versions, we’re doing so that your code will be more secure. That’s why when Microsoft says, “Please for the love of all that good and holy, stop using IE6 in your business and upgrade to a secure browser,” we really really mean it – latest flaw excluded. When Microsoft says Vista is the most secure operating system they have ever built and think you should upgrade even though you think security is not a ‘feature,’ – upgrade. In fact if you were using IE7 in Protected mode in Vista, this bug is not nearly as damaging.