As US-CERT and others continue to monitor the attacks against the Windows DNS RPC flaw, the folks at the Microsoft Security Response Center say they still don’t have any better idea when a patch for the vulnerability will be available. They say they’re hoping the DNS RPC patch will be ready for the scheduled May 8 update release, but there are no guarantees. As always, the main issue is the amount of time it takes to test the various versions of the patch. The MSRC staff says it’s testing 133 different versions of the patch right now, and that simply takes time. Scott Charney, the VP of Trustworthy Computing at Microsoft, said at the AOTA summit in Boston yesterday that the testing process is the biggest obstacle to getting patches into customers’ hands more quickly.
“We’ve made some improvements there, like doing parallel testing, but there’s only so much we can do,” Charney said. “The testing process takes time and we don’t want to introduce new problems by rushing out a patch.”
In the meantime, Microsoft has updated the Windows Live Safety Scanner and Windows Live One Care to help protect customers against attacks on the vulnerability.