| COLUMN |
Security Blog Log: Nash, still at helm, addresses IE fixes |
 |
|
|
---------------------------------------------------------------------------------------------------------
Mike Nash may be stepping aside as VP of Microsoft's Security Business and Technology Unit, but a Wednesday night entry in the Microsoft Security Response Center blog shows he's still in command, for now.
He used the blog to clear the air about upcoming fixes for Internet Explorer (IE) that will change the way ActiveX works and address the latest security holes.
A mega patch for the browser is due out April 11, though Nash suggested it could come out early in response to the so-called createTextRange flaw, which has been targeted by exploit code in the last week. Concern over the security hole has prompted Aliso Viejo, Calif.-based eEye Digital Security Inc. and Redwood City, Calif.-based vulnerability protection firm Determina Inc. to release their own fixes. Meanwhile, Microsoft is making the ActiveX changes in response to a patent dispute.
"So what's going on? Three things really," Nash wrote in the blog. "The first relates to Microsoft's involvement with the Eolas Technologies and the Regents of the University of California v. Microsoft patent case (Eolas v. Microsoft), which requires that Microsoft change the way that IE handles ActiveX controls … When we release the next cumulative IE security update, customers will only be able to interact with Microsoft ActiveX controls loaded in certain Web pages after manually activating their user interfaces by clicking on it or using the tab key and enter key."
To help developers verify that their applications work well with the ActiveX change, Nash said, Microsoft made it available to developers Feb. 9. Microsoft also made the change available as an optional update on Windows Update and the Microsoft Download Center on Feb 28, he added. At the same time, Nash wrote, the ActiveX change was made available to OEMs to include on all new systems shipping with Windows.
"The second issue is that we have a number of security vulnerabilities in IE that are scheduled to be addressed in our next release of security bulletins on Tuesday April 11, 2006," Nash said, referencing the createTextRange flaw. "As you know, in order to reduce the complexity of updates and to improve quality, we ship all IE updates as cumulative updates. As a result, the April security updates will include the non-security ActiveX change to respond to the Eolas case."
The message seemed to suggest that Microsoft will not release a security update prior to April 11. Some wondered whether the software giant would release an update prior to Patch Tuesday, as was the case when exploits circulated for the Windows Meta File (WMF) flaw in January, for which vendors also released third-party fixes.
Finally, he wrote, Microsoft is responding to the zero-day clearTextRange vulnerability in IE. "The good news here is that we are on a path to include the fix for the zero-day vulnerability as part of the April IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously," he said.
Microsoft's enterprise customers have been concerned that the upcoming ActiveX changes will cause functionality problems, so Nash outlined steps Microsoft will take to smooth the road ahead:
- New machines that ship with Windows will include the ActiveX change.
- The upcoming cumulative security update will include the IE ActiveX change, but Microsoft will also create a "compatibility patch," deployed like a hotfix, that allows customers to turn off the change until they can resolve compatibility issues. Customers will have until the June Security Bulletin release to work out the kinks.
|
|
|
|
