Microsoft patch delay may contribute to early exploit |
 |
By Shawna McAlearney, News Writer
12 Feb 2004 | SearchSecurity.com |
|
|
Experts are fuming over the lengthy delay -- 200 days -- between when Microsoft Corp. was first notified of a critical vulnerability affecting all supported versions of Windows and when it released a patch. The primary issue: how confidential was the information detailing the ASN.1 flaw and when can we expect the first exploit.
"Everyone in the industry knows that CERT and most vendors don't release advisories until they have a fix available," said Richard Forno, a security consultant and former CSO of the InterNIC. "In the interim, the underground and industry are talking about it, and the bad guys have a pretty defined window of opportunity to mess with people."
|
| More information about the ASN.1 vulnerability |
Click here for Microsoft's security alert (including patches).
To learn exactly what ASN.1 is, see this Whatis.com definition. |
|
|
|
|
"If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a 'drop-everything-and-fix' thing resolved in a short period of time," said Forno. "Nearly 200 days to research and resolve a 'critical' vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products."
A Microsoft spokesperson responded to the large time lapse with this statement: "Security response requires a delicate balance of speed and quality. This investigation required us to evaluate several aspects and instances of this pervasive functionality in order for our engineers to create a comprehensive and high quality fix. This was an instance in which due diligence required us to very carefully evaluate the broadest possible implications of a single anomaly reported to us."
When a New York Times reporter also questioned the lag time, Microsoft senior program manager Stephen Toulouse replied that a quick response could introduce another vulnerability if hastily created: "We don't just produce a fix, we produce a comprehensive fix," he said.
|
| What do you think of Microsoft's latest critical flaw? |
Please take our minipoll on the patch.
If you have specific comments about the flaw, let us know. Click here.
|
|
|
|
|
The ASN.1 vulnerability can permit an unauthenticated, remote attacker to execute arbitrary code with system privileges. ASN.1 is used by a number of cryptographic and authentication services.
Scott Blake, vice president of information security at Houston-based BindView Corp. said, "We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation -- it's simply a case of when it materializes."
Experts recommend immediately patching vulnerable systems, focusing on the most critical systems first.
|
|
|
|
