Yahoo! bug crushers have plugged a serious hole in Yahoo! Messenger that made it possible for bad guys to remotely take control of a user's machine. The update became available less than 24 hours after an anonymous hacker posted proof-of-concept code that demonstrated how the vulnerability could be exploited. The …
Register! Yahoo! Headline! Missing! Exclamation Marks!
What went wrong with the headline guys? Next you'll probably forget your hatred of Kevin Warwick and write a nice review of his new book.
"Maiffret, who holds up Microsoft as a model for responsible vulnerability handling"
ie let months go past before issuing a patch.
Bad Yahoo! Released a fix in 24 hrs.
"Bad Yahoo! Released a fix in 24 hrs"
No, they didn't. They released a fix 24 hours after a hacker had already exploited the bug. They had longer than that to fix it. Not that I'm claiming they're slow or anything. But not releasing a patch for months *and* not telling anyone what to exploit seems more responsible than quickly releasing a patch, but giving hackers a fighting chance at exploiting it first.
How many times has MS been prompted to publish a patch after a "zero day" exploit? A patch that they've been sitting on?
- Microsoft: We're hiking UK cloud prices 22%. Stop whining – it's the Brexit
- And so we enter day seven of King's College London major IT outage
- Thanks, IoT vendors: your slack attitude will get regulators moving
- Vodafone rapped with RECORD £4.6m fine for failing customers
- EU ruling restricts rights to resell back-up copies of software where originals are damaged, destroyed or lost