cPanel, IE Security Flaws Exploited by Hackers - And What About Microsoft?
(Page 4 of 4 )
We know that cPanel responded quickly to repair the flaw once the company was informed. But what about Microsoft, whose IE issue made up the second half of the problem? Well, the software giant releases patches for its software on a regular schedule, unless it’s something really critical. And at first, Microsoft didn’t seem to think this particular exploit was critical enough. “Attacks remain limited,” explained Microsoft’s Scott Deacon on the company’s Security Response blog. “There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.”
In the normal cycle of things, Microsoft would have waited until October 10 to release a patch for this vulnerability. In fact, the Zeroday Emergency Response Team (ZERT) released an unofficial patch. “We think it’s great that there are people out there working to help protect our customers,” Deacon noted, alluding to this group of veteran security researchers, “But as we’ve always said, we cannot endorse third party updates.”
It took a little bit longer, but the software giant finally did post a patch, on September 26. Microsoft says that the patch not only takes care of the public security issue but also “additional issues discovered through internal investigations.”
From a web hoster’s point of view, what happened has to be one of the scarier scenarios: two security holes in software created by two different vendors (only one of which needs to actually be used by the web host) being exploited together to attack your customers. With the amount of third-party software being used, it may become a more common scenario as well. We can only hope that proprietary software vendors become ever more responsive to their user’s needs and concerns, to help keep the damage from such an event from getting out of hand.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |