Microsoft Is Taken to Task Over Flaw Response
When Microsoft Corp. learned recently that a software flaw had been made public and could prompt Internet attacks, it ordered a team to devote all its time to fixing the flaw and making the repair work with other products.
Microsoft says that is the approach customers want and expect, but some computer security experts complain that the company’s traditional method, which could take days or weeks, doesn’t help fast enough.
So for the second time in three months, outside programmers took matters into their own hands by quickly releasing their own fixes, days ahead of Microsoft’s patch for its market-dominant Internet Explorer browser.
Microsoft doesn’t endorse such third-party fixes, warning that it can’t vouch for whether they will work smoothly with Microsoft products and other applications. But those providing them contend that they have a responsibility to protect users from attacks.
“It’s kind of like having the cure and not sharing it with anybody,” said Marc Maiffret, chief hacking officer at EEye Digital Security Inc. The Aliso Viejo company recently released such a fix.
Rather than replacing Microsoft’s own patch, Maiffret says he is hoping to provide a bandage for the interim.
The security expert also doesn’t fault Microsoft for taking time to finalize an official patch because it can be difficult to make sure that repairing one part of the complex Windows operating system, which includes Internet Explorer, doesn’t cause problems elsewhere.
He also realizes that a patch like that can cause any of the thousands of non-Microsoft applications running on Windows machines to stop working, crippling businesses and frustrating home users.
But Maiffret contends that Microsoft should be the one providing the type of temporary fixes his company was able to quickly pull together in response to what the industry refers to as “zero-day” problems: vulnerabilities that attackers can immediately use to try to infiltrate other people’s computers.
Johannes Ullrich, chief technology officer at the security research organization SANS Institute, also recognizes that Microsoft needs time to build patches, but he believes that it could more quickly release a so-called beta patch so users would have temporary -- if not perfect -- protection in the interim.
“The real problem is that Microsoft leaves that opening,” Ullrich said.
Such problems are relatively rare. In most cases, Microsoft learns about flaws in its systems from security experts, who hold off on making their findings public -- and alerting potential attackers -- until Microsoft can release an official patch.
Microsoft says it is hoping to release a patch for the most recent Explorer flaw by April 11, its normal time of month for issuing security updates, and sooner if possible.
