All the rage has lately centered around the recent escalation of a “Denial of Service” Internet Explorer vulnerability that has suddenly without warning become a “remote-code execution” vulnerability.

Ok, patch your systems, lock your windows and post a dog at the front door. All that aside, this raises again the issue of software patching response times and best-practice software coding. There are a number of people who are very upset at this, not because it’s yet another browser-directed exploit or even because it’s a Microsoft exploit, but because it was not fixed when it should have been!

Indeed, Microsoft has known about this bug for over 6 months. It was set as a low-priority issue because no one had yet found a way to exploit it. Now knowing programming and many programmers who have written “interesting” code, I know that any competent programmer could have looked at the code and seen the potential.

I suspect that Microsoft simply saw what someone was able to do with it and classified it as such. After all, they don’t make more money of their patches so leaving it low priority frees up their programmers to do things that do make money. However at a terrible cost to the rest of us.

Theories aside, at least the last Firefox Denial of Service vulnerability was patched 7 days before the vulnerability was even announced.