Microsoft has been urged to
issue security updates more frequently, after the company was last
week forced to release a security patch ahead of schedule for a
vulnerability it first knew about in 2006.
Microsoft security manager Christopher Budd said the firm had
known about the animated cursor exploit since December last year
and had been working on a fix. A security update for the flaw,
which was due to be released today (10 April), instead came out a
week early.
Raimund Genes, CTO of anti-malware at security firm
Trend Micro, said that demand was growing for a
more immediate response from Microsoft, particularly as more
unofficial fixes were being released.
For the animated cursor exploit, patches had already been
created by eEye Digital Security and the
Zeroday Emergency
Response Team.
"A closed-source shop like Microsoft will tend to want to keep
a lid on the vulnerability for as long as possible, and it does,"
said Forrester security analyst Bill Nagel.
A Microsoft spokesman said many factors affected the length of
time it took to create a fix, including the "scope and impact" of a
threat on the affected product.
Nagel says that zero-day attacks were getting nastier and better
organised, and that the response of third parties releasing
unofficial patches before the software supplier itself is an
emerging trend. As a lot more exploits are also being released on
Patch Tuesday (or the day after), Nagel recommends IT security
managers should draft plans to deal with this type of attack.
"Determining a realistic threat level is important in the
current example, this will give security managers guidance on
whether to apply an unofficial patch or wait for the official
Microsoft response."
He reminds users that if they apply an unofficial patch, they
will need to uninstall it before installing the official MSFT patch
and that they should only download a third-party patch signed by a
trusted source.
"If possible, audit the source code yourself to ensure that it
only does what it claims to do - otherwise, your patch might
contain a Trojan worsen than the flaw it claims to fix."
Blogger pips Microsoft to post with Vista
fixes
A website has already made available more than 100 fixes for
Windows Vista, which are expected to be officially released in
Microsoft's Windows Vista Service Pack 1 later in the year.
Ethan Allen, owner of vistasp1.net and
TheHotfix.net
blog claims to have received the patches from a source at Microsoft
who had access to the technology.
The patches address device driver and software compatibility
issues although none have been listed which deal with security.
Microsoft's April security update
David Lacey's
security blog
Comment on this article:
computer.weekly@rbi.co.uk