A vulnerability in IE? The devil you say!

Well that didn’t take long. Some of the source code to Windows NT 4.0 and Windows 2000 was leaked on or about Thursday and over the weekend someone coded up an exploit for some of the leaked code. I bet the security through obscurity camp are jumping for joy. “See,” my strawman says, “if the source had remained closed this exploit would have never been a problem!”
Not so fast. Whether the source code is released or not, people can find security flaws in software. There’s also no requirement that evil-doers publish information about exploits, which means that the blackhats may have had this exploit for years. The flaw has been there from the start, it’s only now that it’s been found by someone who would publish it instead of (or in addition to) exploiting it for personal gain.
That’s right, someone could have been out there using this exploit all along, although it’s unlikely due to the nature of this specific flaw. But now that it’s been published, IE 5 users can protect themselves, which means that the source code leak has led to more security instead of less security. As esr says, "Many eyes make all bugs shallow."

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s