Microsoft confirmed Thursday that the createTextRange security flaw in Internet Explorer will be among those addressed in its monthly patch rollout April 11. In all, the company said on its TechNet site, customers can expect five updates for Microsoft Windows and Microsoft Office -- at least one of them critical.
Still, for all the attention the createTextRange flaw has received in recent weeks, network administrator Susan Bradley has found little reason to fear it.
More than 200 malicious Web sites have attempted to exploit the flaw, which Microsoft has yet to patch. The heightened anxiety prompted Aliso Viejo, Calif.-based eEye Digital Security Inc. and Redwood City, Calif.-based vulnerability protection firm Determina Inc. to release their own fixes. But to date, no Internet-crippling attacks have materialized, said Bradley, who works for Fresno, Calif.-based Tamiyasu, Smith, Horn and Braun Accountancy Corp.
"With this flaw, I don't feel the same sense of paranoia as I did with the WMF flaw," she said, referring to the Windows vulnerability that was attacked on a massive scale at the start of the year, prompting Microsoft to release an out-of-cycle patch.
"This time, Microsoft has been very clear in saying the flaw is there and that they're working on a patch to release on a specific date," she said, "and they've offered workarounds."
With WMF, she added, Microsoft said it was working on the problem, but there was a week-long period during which customers received little or no information as to when a patch would be released, even though the threat of exploitation was looming over enterprises. But now, she said, borrowing a phrase from the Star Trek universe, "the shields are holding."
While Bradley isn't as concerned about the createTextRange flaw, exploit code has been in the wild for at least two weeks, renewing debate about Microsoft's patching process. Specifically, some have wondered whether monthly patching is still the right approach at a time when zero-day attacks are becoming more likely.
For her part, Bradley doesn't want to return to the days when Microsoft would release patches at any time of the day or week, without warning.
"For someone who wants patches to come out any old day, I would remind them of what it was like before the monthly patching process," she said, noting that she's been an IT administrator since 1999, when a lot of today's patching tools didn't exist and there was no advance planning. "You'd get a bulletin with no advance warning and say, 'Oh my, I've gotta do a risk analysis'" Today, she said, having a a schedule that her organization can plan around works much better.
But if a recent online poll conducted by the Bethesda, Md.-based SANS Internet Storm Center (ISC) is any indication, not everyone agrees.
ISC asked, without mentioning any specific vendor, "Is a monthly patching cycle good?" Of the 1,401 responses:
- 21.1 % said yes, the benefit of planning the work makes it worthwhile;
- 2.6 % said no, it's too much work at once;
- 6.1 % said yes, the vendor must test it 100 % and a few more days can't hurt;
- 32.3 % said no, they want choices on the amount of risk they take and need patches as early as possible; and
- 34.2 % said it depends: vendors need to stay away from it when there is serious risk involved.
One respondent commented, "If testing is required, then test it for a few days. Every day a working patch is sitting around is one more day for hackers to do millions of dollars of damage. I'm surprised companies don't get sued for doing slow monthly patching. It's a liability."
Going it alone
Opinions on Microsoft's patching cycle aside, Bradley and other IT professionals said there are plenty of ways to mitigate threats while a patch is in the works.
Glenn Hill, IT security manager for Northeastern University in Boston, said his department uses "automated means" to keep machines patched. But while patching is essential, he said, it's not foolproof.
"As one might expect in an academic community, we have computers on our network that we don't own or control," he said in an e-mail exchange. "Accordingly, we also rely on the human element to keep the computing environment safe."
That means making users aware of the dangers in cyberspace and educating them on how to avoid them.
"Especially with IE vulnerabilities and exploits, we find that user awareness of safe surfing habits," avoiding unsolicited links, for example, "is tremendously helpful as a preventive control," Hill said.
'Patch Tuesday' details
Expanding on the pre-release information Microsoft provided today for its Apr. 11 security bulletin, the software giant said four of the updates will specifically address windows issues, while the fifth involves an issue relating to Microsoft office. There is expected to be one non-security, high-priority update via Microsoft Update (MU) and Windows Server Update Services (WSUS).
While Microsoft outlines the number of planned security updates and the programs affected the Thursday before each patch release, it doesn't go into detail on what the flaws are. When an update affects Windows, the company typically doesn't eleaborate on which components of the operating system are affected. The company made an exception this time by mentioning that the createTextRange flaw would be fixed in a cumulative IE update.
As it does each month, Microsoft said it will also release an updated version of its Windows Malicious Software Removal Tool via Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
"Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released," Microsoft said.
Customers looking for additional guidance after the patches are released can watch a Webcast Wednesday at 2 p.m. ET, 11 a.m. PT. A link to the Webcast site is included in the TechNet advisory.