Microsoft has been urged to issue security updates more frequently, after the company was last week forced to release a security patch ahead of schedule for a vulnerability it first knew about in 2006.
Microsoft security manager Christopher Budd said the firm had known about the animated cursor exploit since December last year and had been working on a fix. A security update for the flaw, which was due to be released today (10 April), instead came out a week early.
Raimund Genes, CTO of anti-malware at security firm Trend Micro, said that demand was growing for a more immediate response from Microsoft, particularly as more unofficial fixes were being released.
For the animated cursor exploit, patches had already been created by eEye Digital Security and the Zeroday Emergency Response Team.
"A closed-source shop like Microsoft will tend to want to keep a lid on the vulnerability for as long as possible, and it does," said Forrester security analyst Bill Nagel.
A Microsoft spokesman said many factors affected the length of time it took to create a fix, including the "scope and impact" of a threat on the affected product.
Nagel says that zero-day attacks were getting nastier and better organised, and that the response of third parties releasing unofficial patches before the software supplier itself is an emerging trend. As a lot more exploits are also being released on Patch Tuesday (or the day after), Nagel recommends IT security managers should draft plans to deal with this type of attack.
"Determining a realistic threat level is important in the current example, this will give security managers guidance on whether to apply an unofficial patch or wait for the official Microsoft response."
He reminds users that if they apply an unofficial patch, they will need to uninstall it before installing the official MSFT patch and that they should only download a third-party patch signed by a trusted source.
"If possible, audit the source code yourself to ensure that it only does what it claims to do - otherwise, your patch might contain a Trojan worsen than the flaw it claims to fix."
Blogger pips Microsoft to post with Vista fixes
A website has already made available more than 100 fixes for Windows Vista, which are expected to be officially released in Microsoft's Windows Vista Service Pack 1 later in the year.
Ethan Allen, owner of vistasp1.net and TheHotfix.net blog claims to have received the patches from a source at Microsoft who had access to the technology.
The patches address device driver and software compatibility issues although none have been listed which deal with security.
David Lacey's security blog
Comment on this article: firstname.lastname@example.org