You are here  IT Management Risk Management

Microsoft bows to user pressure with early security patch

Tuesday 10 January 2006 11:27

Microsoft has responded to user pressure and brought forward the release of a patch for a dangerous flaw in its Windows operating system.

Analyst firm Gartner said the security hole in the WMF image system was a "critical vulnerability" that could damage many enterprise systems, not just those that use the affected process.

Microsoft said it was releasing the fix ahead of today's regular monthly update "in response to strong customer sentiment that the release should be made available as soon as possible".

The move came as some corporate users were contemplating the installation of an unofficial patch to protect against the growing number of exploits targeting the vulnerability since the end of  December.

The unofficial patch, written by independent software developer Ilfak Guilfanov, had been vetted and verified by security advisory body the Sans Institute.

The dilemma faced by IT directors highlighted a problem with the move by software suppliers to a regular patching cycle.

Microsoft's Patch Tuesday has brought certainty to IT departments and allowed greater planning, said Paul Simmonds, global information security director at chemicals firm ICI. But when a major flaw appeared it could also mean risky delays.

If the emergence of unofficial patches becomes a trend, IT directors will face difficult choices over whether to risk installing an unofficial patch or leave systems exposed to attacks.

Simmonds, a founding member of security user group the Jericho Forum, said, "An unofficial patch, wherever tested, adds another factor of risk to the equation."

David Lacey, former chief information security officer at Royal Mail and Jericho Forum founder member, suggested Microsoft look at the open source community model of development and work collaboratively with others to create patches.

Microsoft would not comment on whether it was prepared to collaborate with third parties to develop fixes. "As a general rule, it is best practice to utilise security updates for software vulnerabilities from the original supplier of the software," the company said.