Experts are fuming over the lengthy delay -- 200 days -- between when Microsoft Corp. was first notified of a critical vulnerability affecting all supported versions of Windows and when it released a patch. The primary issue: how confidential was the information detailing the ASN.1 flaw and when can we expect the first exploit.
"Everyone in the industry knows that CERT and most vendors don't release advisories until they have a fix available," said Richard Forno, a security consultant and former CSO of the InterNIC. "In the interim, the underground and industry are talking about it, and the bad guys have a pretty defined window of opportunity to mess with people."
A Microsoft spokesperson responded to the large time lapse with this statement: "Security response requires a delicate balance of speed and quality. This investigation required us to evaluate several aspects and instances of this pervasive functionality in order for our engineers to create a comprehensive and high quality fix. This was an instance in which due diligence required us to very carefully evaluate the broadest possible implications of a single anomaly reported to us."
When a New York Times reporter also questioned the lag time, Microsoft senior program manager Stephen Toulouse replied that a quick response could introduce another vulnerability if hastily created: "We don't just produce a fix, we produce a comprehensive fix," he said.
Scott Blake, vice president of information security at Houston-based BindView Corp. said, "We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation -- it's simply a case of when it materializes."
Experts recommend immediately patching vulnerable systems, focusing on the most critical systems first.