Back on September 17th, Microsoft issued a warning about a serious bug in all versions of Internet Explorer that bad guys were known to be exploiting. If an Internet Explorer user visits a malicious web page, their computer can get infected with malicious software.
Assuming that Microsoft was aware of the flaw before they made the public announcement (according to FireEye, the flaw was first exploited on August 23, 2013) then they have sat on this problem for well over two weeks. Considering that the bug affects all versions of Internet Explorer (from 6 through 11) and that IE is the worlds most popular browser (at least on desktop computers) things look even worse.
But I see a bigger issue here, the way Microsoft avoids responsibility.
To begin with, nowhere in these two weeks has Microsoft offered even a hint about when a fix can be expected. Instead they offer workarounds that end users have to implement, assuming they even know about the problem.
Chances are, if you are reading Computerworld, you are a techie. How many non-techie Windows users do you know that are aware of this critical vulnerability in Internet Explorer? My guess is very few.
Each Windows user has to educate themselves about the IE vulnerability. Nothing in Windows communicates the fact that Internet Explorer is vulnerable to attack. No patches are pushed out to users to at least bypass the problem until a permanent fix is ready.
Windows users that heard about the problem, were probably also informed that Microsoft has a manually installable "Fix it" solution.
Despite the name, the "Fix it" does not fix the problem. Instead it offers a temporary work-around.
Like other Microsoft "Fix it" workarounds, there is an undo for this one. Any Windows user that installs the "Fix it" is then obligated to learn about the eventual patch for the underlying problem. When the real fix is released, the Windows user has to remember to un-do the temporary workaround. Remember? My experience has been that that Microsoft offers no help in notifying people when the time comes to undo these temporary workarounds.
And when that time comes, which should be done first? That is, should the eventual IE patch be applied before or after un-doing the "Fix it" workaround? I read the documentation. It doesn't say.
The documentation does, however, say that the "Fix it" solution only applies to 32-bit versions of Internet Explorer. How can you tell if your copy of IE is 32 bits or not? Microsoft doesn't say. The burden is on the end user to understand the technology.
The documentation also notes that "you must have security update 2870699 installed for this Fix it to provide effective protection against this issue." How can you tell if security update 2870699 is installed or not? Microsoft doesn't say.
Could the "Fix it" program be made smart enough to detect, on its own, whether the necessary security update is already installed? Sure it could. But that's not the Microsoft way. The burden of getting all the ducks in a row falls to the end user.
The instructions for installing the "Fix it" workaround state
To enable or disable this Fix it solution, click the Fix it button or link under the Enable heading or under the Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Anyone running Firefox or Chrome has to be aware that their browser has no "Run" option; the instructions only apply to Internet Explorer. Microsoft doesn't tell users of other browsers that they should download an MSI file to their computer and run it.
And, documenting the actual steps involved in running the "Fix it" wizard? That's not the way Microsoft rolls.*
Do you need to be logged on as an Administrator to install the "Fix it"? They don't say.
Suppose you maintain multiple Windows computers and lost track of whether this particular "Fix it" was installed or not. How can you tell if it has been installed? Microsoft doesn't say.
Don't like the "Fix it" route? Microsoft has other suggestions for Windows users that never heard of Firefox, Chrome or Opera.
You can "help protect against exploitation" if you "Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones". But that breaks some websites. Broken websites then have to be added to the Trusted sites zone. Firefox please.
Or, you can configure IE to prompt before running Active Scripting. It is assumed that everyone using Windows knows what Active Scripting is. What does an Active Scripting prompt look like? What is the safe response to the prompt? The are no examples. Chrome please.
Microsoft's final suggestion is to install and configure a complicated techie thing called EMET. Opera please.
Microsoft doesn't suggest, what every techie in the world would suggest - using Firefox, Chrome or Opera. The company lives in a fantasy world where the only software is their software.
The documentation for the IE "Fix it" workaround says "Microsoft has released a Microsoft security advisory about this issue for IT professionals". Non IT professionals are on their own, as we have just seen. The company functions as if each Windows user was a techie. More fantasy.
It is no surprise that non-techies are more comfortable using newer operating systems (iOS, Android and Chrome OS) that don't require under the hood tinkering, where users are not expected to be technical experts and where situations such as view a web page, get a virus don't happen with regularity.
*Anyone for whom this is their first "Fix it" program can get an idea of what to expect when running it from blogger Martin Brinkman at his ghacks.net site.