Hunter Strategies LLC logo

Microsoft News Tracker

What's more interesting than observing Microsoft?

March 28, 2006

Everyone is patching IE but Microsoft

Posted by David Hunter at 9:56 PM ET.

As Yogi Berra said, it’s like deja vu all over again. If you don’t follow any of the links in the next paragraph, it reads like the WMF exploit of two months ago, but it actually is the latest Internet Explorer nasty. Here’s the plot:

There’s a gaping drive-by Internet Explorer security exploit that cropped up without any prior warning and is now appearing all over the Web. Microsoft unhelpfully says don’t surf in any sleazy areas and we’ll have a patch next month on our regularly scheduled Patch Tuesday. Commentators note that with hacked web servers, exploits are appearing in the nicest neighborhoods and as a result, security companies are coming out with their own patches ([1], [2]) of which Microsoft disapproves. Nonetheless, Microsoft says they may well ship their own patch early if things look really, really serious.

This exploit has somewhat less potential for damage than the one of two months ago because simply turning off Active Scripting will immunize those clever enough to know to do it and to know how, but it leads one to wonder how many times we’ll get to relive this story. Robert McMillan reports at InfoWorld that the point isn’t lost on Microsoft, but they claim they are hard pressed to provide fixes any faster citing quality and compatibility concerns among other reasons. One quote I liked:

Microsoft’s practice of holding security fixes until the second Tuesday of each month, called “Patch Tuesday” by administrators, can sometimes hurt home users because they may not have the benefit of the “layers and layers” of protection that are typical in corporate environments, said Todd Towles, a security consultant based in Austin, Texas.

“In the past, I wouldn’t have a problem with the Microsoft delay, but this is happening too much,” he said. “Microsoft waits for Patch Tuesday to make corporate patch management teams happy, but this is only hurting the millions of home users that live at a higher security risk.”

And that’s the nut. It wasn’t so long ago that Microsoft patches were delivered “as needed” on what seemed to be a fairly timely basis, but the monthly “Patch Tuesday” was instituted to regularize the process and channel the apparent flood. I can’t believe that the Microsoft teams have really gotten any slower. Would it really be more disruptive to have a two tier system with the mundane patches coming on one Tuesday a month and the really serious ones coming as needed? That’s effectively what’s happening anyhow when patches get released early as was the one for the WMF exploit two months ago. As it stands now, it looks like Microsoft is being dragged unwillingly to participate.

Filed under Internet Explorer, Microsoft, Patch Tuesday, Security

Related posts:


One Response to “Everyone is patching IE but Microsoft”

  1. Third party patch released for zero day Microsoft VML exploit -- Microsoft News Tracker Says:

    [...] There’s another serious zero-day Microsoft security exploit in the wild hitting Internet and Outlook and the citizens are taking matters into their own hands instead of waiting for the Microsoft cavalry. I think I’ve heard this story before. Maybe twice. The twist is now that the citizens are more organized as Ryan Naraine reports at eWeek: A high-profile group of computer security professionals scattered around the globe has created a third-party patch for the critical VML vulnerability as part of a broader effort to provide an emergency response system for zero-day malware attacks. [...]

News Search:

Recent Posts:

Daily Digest Email:

Enter your Email

Powered by FeedBlitz


Full category list


Archive List

RSS Feed:

HunterStrat Links:


  • Powered by WordPress.