It's no leap to say if you're reading this, Internet Explorer is a long-forgotten memory in the history of web browsers for you, with Firefox, Chrome, Opera, Safari or one of many other alternatives having supplanted its place on your desktop. As for the rest of the internet, that's not the case. So, when a critical issue with Microsoft's browser goes unfixed by the developer, should we be concerned? It depends.
As InfoWorld's Jeremy Kirk writes, Microsoft is only just getting around to patching a vulnerability in IE 8 that can result in code execution (as well as crashes and unexpected behaviour) if a user visits a carefully-crafted page.
Kirk goes on to mention that Microsoft was made aware of the exploit back in October last year, but it seems that only after information on the flaw was revealed publicly that the company decided to act. A Microsoft representative however, explained that fixes take time to engineer and test and it would release a patch "when ready in order to help protect customers".
IE 8 might seem ancient, seeing as it was released back in 2009, but as ArsTechnica's Dan Goodin points out, it's still one of the more popular versions available. Does that mean we should be worried?
Not really. Peter Van Eeckhoutte, the man responsible for discovering the exploit, says it's "very unlikely" anyone would be affected and goes some way to explaining why Microsoft didn't conjure up a patch the moment it was told:
Achieving a zero-bug state in complex software (such as a web browser) is very unlikely. That's exactly why Operating Systems (Windows, Unix, Linux, OSX, Android, etc) have adopted additional security measures such as ASLR, DEP, Canaries, etc. It doesn't matter what OS or application you’re running. Focusing on just one bug and its time/delay to patch doesn't really say much about your absolute level of security. We often don’t need to be worried about the known, but about the unknown. We need generic and layered defense, period. Harden your OS, harden your apps, harden your browser.
In fact, those susceptible can just block ActiveX and Active Scripting and be fine, or install the company's Enhanced Migration Experience Toolkit.
In contrast to what you may think about Microsoft and that speed at which it attends to vulnerabilities, Van Eeckhoutte believes the company is doing "an excellent job":
...I don't believe this is an indication that Microsoft is ignoring bug reports or doesn't care about security at all, so let's not exaggerate things. In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers. I'm sure we can all come up with examples of (small and large) software companies that approach bug reports in a different way.