Experts are fuming over the lengthy delay -- 200 days -- between when Microsoft Corp. was first notified of a critical vulnerability affecting all supported versions of Windows and when it released a patch. The primary issue: how confidential was the information detailing the ASN.1 flaw
"Everyone in the industry knows that CERT and most vendors don't release advisories until they have a fix available," said Richard Forno, a security consultant and former CSO of the InterNIC. "In the interim, the underground and industry are talking about it, and the bad guys have a pretty defined window of opportunity to mess with people."
A Microsoft spokesperson responded to the large time lapse with this statement: "Security response requires a delicate balance of speed and quality. This investigation required us to evaluate several aspects and instances of this pervasive functionality in order for our engineers to create a comprehensive and high quality fix. This was an instance in which due diligence required us to very carefully evaluate the broadest possible implications of a single anomaly reported to us."
When a New York Times reporter also questioned the lag time, Microsoft senior program manager Stephen Toulouse replied that a quick response could introduce another vulnerability if hastily created: "We don't just produce a fix, we produce a comprehensive fix," he said.
Scott Blake, vice president of information security at Houston-based BindView Corp. said, "We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation -- it's simply a case of when it materializes."
Experts recommend immediately patching vulnerable systems, focusing on the most critical systems first.