You may have seen in the news over the last few days that a vulnerability has come to light in IE, which allows a carefully crafted web page to run arbitrary code on a PC. I don’t assess the technical side vulnerabilities - some of the things written about how serious this one was one verge on the hysterical, and some downplay it too far. There are two web casts scheduled to talk about this one. Wednesday, December 17, 2008 1:00 P.M. Pacific Time / 9PM GMT and Thursday, December 18, 2008 11:00 A.M. Pacific Time / 7PM GMT if you want to get chapter and verse.
In any event the fix is now on Windows update. It’s serious enough to put a fix out without sticking to our normal schedule. Our biggest worry with every fix we post is they get reverse engineered, so get this one installed on any machine where you use IE to access the internet. On servers, where you don’t use a browser, or only use it for very limited browsing of trustworthy sites, there is less urgency.
I did read something in from a recent customer survey, where a customer wrote that products should be 100% bug free. Realistically, bug-free code is like an error free newspaper … a great aim, but something which doesn’t really happen. Some minor typos, spelling , punctuation or grammatical errors can be left without anyone being concerned. Other change the meaning of what it is said. Some errors of fact need a correction to be issued (patches) and some can land you in the libel courts. Something like the Nimda virus was the equivalent of a huge libel payout, this one seems to be more than a correction buried somewhere internally and less than a £1M libel payout.