Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: So, when is a security advisory, not a security advisory? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
So, when is a security advisory, not a security advisory?
Microsoft released a security advisory 912945 out of cycle and with little publicity yesterday, the title of which is "Non-security Update for Internet Explorer".  The update appears to change the default behavior of IE in handling ActiveX components.  Given the security issues of ActiveX that have been discussed many times in the past, I'd say that probably does qualify as a security update and I applaud Microsoft for changing the default accept (if that is indeed what the update does, a big if).  I'm just curious as to why this is being done now given their reluctance to issue patches out of cycle in the recent past.  It has been reported (here among other places) that this is the result of losing a patent infringement case last fall, but I haven't seen that officially acknowledged by Microsoft.

Jim Clausing,  jclausing --at--
I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Mar 1st 2006

Sign Up for Free or Log In to start participating in the conversation!