Microsoft criticized for release schedule
By Steve Ragan Apr 6, 2007, 9:52 GMT
Microsoft has released the patch for the critical .ANI vulnerability. They released it ahead of the normal Patch Tuesday release date, and hoped that it would stem the grumbles and complaints that many in the IT Security field and normal home-based users alike shared. Instead, the patch broke programs, and caused frustrations for users both home and business, which led Microsoft to release a second patch to correct the issue.
The problem is not only the broken patch, but also growing frustrations with Microsoft over the way they deal with patching their software. The major complaint with this recent vulnerability is that Microsoft was aware of it long before McAfee reported exploits in the wild. Determina warned Microsoft in 2006 about this vulnerability, a fact Microsoft freely admits too. Why then was there no security update released to address the issue?
To add to the growing angst, there was the month of March. In March, when many were expecting the newest round of patches to address known and vulnerable Microsoft software, the news came a week before the Patch Tuesday release, that there was to be no new security updates. While jokes were made that it was due to the daylight savings time patches and worries, secretly, many network administrators were fuming. Thousands of dollars are spent on networks and thousands more, per company, are spent on Microsoft software. The frustration came to a head this week and many security experts are speaking out on Microsoft and their patching schedule.
Nand Mulchandani of Determina, who discovered the latest flaw in December 2006, spoke up concerning the patching methods used by Microsoft. In an interview with SC Magazine, he is quoted as saying, “The question is, is the public better served by holding these critical vulnerabilities until a super Tuesday or issue them out of band?...The thing we are encouraging Microsoft to do is when Microsoft gets hold of a critical vulnerability, they need to somehow figure out a way of moving ahead in a way that fast-tracks the critical vulnerabilities and then potentially deemphasizes the ones they can do every super Tuesday.”
In what seemed to be a response to that statement, Microsoft’s Mike Reavey wrote on Security Response Center blog that they had received questions as to why it took five months to develop a patch for the issue.
“This issue followed the same process that we use for all vulnerability reports. Based on the severity of the initial report, we began driving for release right after we were able to verify the vulnerability reproduced,” Reavey said. “The level of priority that we assign to a vulnerability is based on the severity of the vulnerability and the risk to customers. The level of urgency and our willingness to “shortcut” steps in the process, such as quality testing, to release on a faster timeline is based on the actual risk to customers at that time.”
Regardless of whether or not an issue is responsibly reported, Reavey said, if customer risk is imminent, Microsoft balances the need for quality and comprehensiveness with the need to protect customers as quickly as possible. That would explain the Realtek errors. The vulnerability was being actively exploited, and still is for that matter, but no matter how fast a fix was released, most of the experts on security say Microsoft should change the way they react to such threats.
“The thing that is especially galling about the whole situation is that obviously they have been sitting on these fixes for a while and the net result for the consumer and the enterprise is pretty much the same. They’re still going to have to do an out-of-cycle patch,” Mulchandani said. “But of course they’re going to have to do it under duress and with a lot of the craziness and cost associated with having to drop everything, do this patch, and of course, seven days later, they’re going to end up having to do it again.”
The general thought is that if there is a serious threat Microsoft moves faster to provide out-of-cycle patches. This leads to the questions of why they do not react that way all the time. Microsoft has the ability to patch faster, and the resources, but they still choose the same release dates, and cycles.
“The fact that they were able to get a patch out in four days or less shows that they can act very quickly if needed,” Mulchandani said. “My attitude about this is that all of these vendors, when they get a critical vulnerability through the door that they acknowledge, they should act as if there are ongoing attacks with this vulnerability. A non-critical vulnerability, OK, you can let it slide a little bit.”
A serious point echoed by many. Microsoft made a big deal about the disclosure of the .ANI vulnerability. “As we’ve mentioned, this vulnerability was responsibly reported (which means confidentially reported) to us by Determina on the 20th of December,” Reavey said. “When the report came in, we immediately understood the severity of the issue and triaged this as a vulnerability that would require a security update.”
It is a known fact that just because something was not disclosed publicly, does not mean that someone else knows about it and is actively exploiting it. Take the news from McAfee for example, in just a few short days after they released a warning about exploits for the vulnerability, there were three others coded and released to the public. If Microsoft had acted faster, it might have been a non-issue.
Reavey defends the process of the patch on the MSRC blog with, “For this issue in particular, the update modifies functionality that is pervasive and core to the operating system, both in graphics rendering, as well kernel mode operations…So extensive testing was performed, and that process involved hundreds of folks in multiple teams worldwide to ensure as complete coverage as possible. In this case, at one point our testing had uncovered over 80 potential issues with the update that were investigated and resolved.”
With that said, it is a “damned if you do, damned of you don’t” situation. While many call for a revamp of the patching process, the fact is if they change it suddenly, it might cause more harm than good. Not to mention, security experts agree not all vulnerabilities need instant patches. The ones that need instant patches, it is said, should get them, because they are severe. It is unlikely that Microsoft will change anything in the way that they operate in regards to patching. At least for now.