Despite being billed as one of the worst flaws ever found in Windows software, many security managers and administrators didn't immediately apply a patch for the ASN.1 parser library vulnerability, according to a recent SearchSecurity.com minipoll.
Forty percent of respondents planned to test the patch prior to applying it, while another 12% planned to apply it on a routine schedule, according to the poll, which drew 138 responses immediately following news of the vulnerability.
Interestingly, Microsoft said it took 200 days before releasing the patch to make sure it didn't break other applications. That only 43% of those polled planned to immediately apply the patch indicates internal QA remains a critical component of an enterprise's patch management system -- regardless of how well tested it is by the software maker.
Given that patch pattern, it's no wonder that 77% said the delay wasn't warranted, according to the poll results.
This vulnerability is caused by integer overflows and other flaws in integer arithmetic in the ASN.1 parser library in Microsoft Windows NT 4.0, 4.0 TSE, 2000, XP and Server 2003. It can permit an unauthenticated remote attacker to execute arbitrary code with system privileges. According to the Computer Emergency Response Team (CERT), any application that loads the ASN.1 library -- including a number of cryptographic and authentication services -- could serve as an attack vector.
Exploit code began circulating less than a week after the patch was released, justifying the beliefs of one-third of poll respondents who said it would happen within days of the patch. An additional 39% said exploit code would begin circulating within a few weeks, but 18% said it was circulating prior to the release of the patch, which took Microsoft more than a half year to produce.
In other Microsoft news, leaked source code may be to blame for an Internet Explorer vulnerability announced to the Bugtraq security mailing list. However, experts say the "new" vulnerability was fixed by a patch long ago.
"This is a real vulnerability in old versions of IE5, but was fixed years ago," said Thor Larholm, a senior security researcher at Newport Beach, Calif.-based PivX Solutions.
"I believe that (the leaked source code) will cause a period of insecurity with a hoard of vulnerabilities, followed by a hardened OS as a result of vulnerabilities being exposed," said Larholm. "The weeks to come will show whether there are any vulnerabilities left that are still exploitable, or if Microsoft did a thorough job in its Trustworthy Computing initiative."