Microsoft Not Happy With Third-Party Security Patches
SEATTLE – When Microsoft Corp. (MSFT) researchers learned recently that a software flaw had been made public and could prompt Internet attacks, the company ordered a team to devote all its time to fixing the flaw and making the repair work with other products.
Microsoft argues that's the approach customers want and expect, but some security experts complained that the software company's traditional method, which could take days or weeks, wouldn't help people fast enough.
So for the second time in three months, outside programmers took matters into their own hands by quickly releasing their own fixes, days ahead of the official Microsoft patch for its market-dominant Internet Explorer browser.
Microsoft doesn't endorse such third-party fixes, warning it can't vouch for whether they will work smoothly with Microsoft products and other applications. But those providing them argue they have a responsibility to protect users from attacks.
"It's kind of like having the cure and not sharing it with anybody," said Marc Maiffret, chief hacking officer with eEye Digital Security Inc. of Aliso Viejo, Calif., which earlier this week released such a fix.
Rather than replacing Microsoft's own patch, Maiffret says he is hoping to provide a bandage for the interim.
The security expert also doesn't fault Microsoft for taking time to finalize an official patch because it can be difficult to make sure that repairing one part of the complex Windows operating system, which includes Internet Explorer, doesn't cause problems elsewhere.
He also realizes that a patch like this can cause any of the thousands of non-Microsoft applications running on Windows machines to stop working, crippling businesses and frustrating home users.
But Maiffret argues that Microsoft should be the one providing the type of temporary treatment his company was able to quickly pull together in response to what the industry refers to as "zero-day" problems — vulnerabilities that attackers can immediately use to try to infiltrate other people's computers.
Johannes Ullrich, chief technology officer with the security research organization SANS Institute, also recognizes that Microsoft needs time to build patches but believes the company can more quickly release a "beta" patch so users would have temporary — if not perfect — protection in the interim.
"The real problem is that Microsoft leaves that opening," Ullrich said.
Such problems are relatively rare. In most cases, Microsoft learns about flaws in its systems confidentially from security experts, who hold off on making their findings public — and alerting potential attackers — until Microsoft can release an official patch.
But occasionally, reports of a vulnerability leak out before Microsoft has time to build a fix, creating a dangerous situation in which attackers can take advantage of the flaw while users have little protection.
When Microsoft faced such a problem a few months ago, SANS recommended that users download the third-party fix because of the unusual severity of the threat.
This time, Ullrich said the flaw appears to be less worrisome, so SANS is recommending that people either disable part of Internet Explorer or temporarily use an alternative browser, such as Firefox or Opera.
Microsoft says it is hoping to release a patch for the most recent IE flaw by April 11, its normal time of month for issuing security updates, and sooner if possible.
In the meantime, Stephen Toulouse, a program manager with Microsoft's Security Response Center, said the company is working with other security companies to help guard against attacks, and helping to shut down the Web sites that exploit the flaw.
Toulouse said the company also is trying to find ways to create and test its patches faster — for instance, by conducting tests in tandem rather than one after another.
But Microsoft, he said, cannot risk releasing a patch that causes problems for even a small number of users because people may decide not to use the fix at all if they hear it's problematic.
"The huge responsibility we have is that we have to answer to our customers, and our customers represent potentially hundreds of millions of different configurations," Toulouse said.
Third-party fixes also create the potential for a malicious person to release a pretend fix that is really an attack, much like the occasional e-mail falsely attributed to Microsoft and others, masking as legitimate communications but really luring users to malicious Web sites.
Even well-meaning programmers have the potential to wreak havoc on businesses if their unofficial fix has even a minor problem, said John Pescatore with research firm Gartner.
"The analogy I use is, if the FDA was testing an anticancer drug, and your neighbor said, 'I have an anticancer drug,' would you use it?" Pescatore said, referring to the Food and Drug Administration.
Meanwhile, Microsoft will likely have to keep grappling with this problem, despite all the security improvements the company has made in the past few years. It takes only a few programming mistakes — amid millions of lines of code — to expose Windows users to potential attacks.
"Even if they're doing everything right," Maiffret said, "there's going to be four to five mistakes a year, and those four to five mistakes are going to lead to the same things you're seeing now."