January 24, 2010, 12:00 PM — I still think that the safest thing you can do about your Web browsing habits is to switch from IE (Internet Explorer) to Firefox or some other browser. But, if you're wedded to IE 7 or 8 -- please, please stop using IE 6--Microsoft has made a fix available for all versions of IE. If you're reading this and you haven't upgraded your copy of IE yet, do yourself a favor, do it now. I'll wait for you.
OK, using updated IE or some other browser now? Good. Now, for the bad news, it turns out that Microsoft knew about this critical bug since last August!.
Some people are making excuses for Microsoft that five months isn't too long for them to fix this, and seven other serious IE bugs. Please. Give me a break. Serious security bugs are found and fixed in open-source software in days or weeks. Why should Microsoft get a free pass?
In its last reported quarter, Microsoft had a net profit of more than 3.5-billion dollars. Is it too much to ask for that they spend more of that on patch programming and quality assurance?
But, what worries me far more than Microsoft's tardy ways when it comes to fixing major problems is that a relatively unknown bug was used in the attack. Usually, criminal hackers are a lazy lot. They wait until some security researcher or the other reveals a security hole, and then they attack it. Or, more likely still, they wait until a company announces a patch for a known security hole, and then they jump on it.
In other words, they're not really hackers at all. They just have a bag of trick attacks that they deploy once someone else has shown them the way to a security hole. That's why it's so important to patch your software the second a fix is available. It's that brief period between when a security hole is fixed and most users have patched it that the crooks have their best chance to corrupt the most PCs.
That wasn't the case here though.