Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Why Did Microsoft Delay IE Patch?



 By: Ryan Naraine
2006-08-23
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Sources say a problem with the way Microsoft's proprietary patch management tools handle compressed files caused the delay in the re-release of a critical browser patch; MS and a security researcher exchange sharp words over the issue of responsible discl

Microsoft has temporarily delayed the re-release of a critical Internet Explorer browser patch because of problems with the way its proprietary Systems Management Server handles cabinet (.cab) files, according to sources familiar with the matter.

The Redmond, Wash., software giant markets SMS as a business tool for simplifying patch management, but because of a bug in the way the SMS architecture handles certain compressed files, the company temporarily cancelled the patch release originally scheduled for Aug. 22.

Microsoft delays software updates typically because of quality assurance concerns, but this is the first time the company has made it known that a kink in its distribution mechanism is the cause for the temporary cancellation of an important patch.

The decision is not sitting well with Internet security experts.

Read more here about the vulnerability introduced by Microsofts IE browser patch.

eEye Digital Security, the private research outfit that blew the lid on the exploitable nature of the vulnerability after Microsoft described it as a simple browser crash, says a flaw in SMS is no reason to leave customers at risk of code execution attacks.

Resource Library:
"[Microsoft is] delaying a security patch, not because there is a problem with their patch, but a problem with their proprietary distribution engine," said eEye Chief Executive Ross Brown, in Aliso Viejo, Calif. "Auto Update works and a million other patching vendors should be able to handle it, but because SMS is flawed, they are leaving customers unsecured?"

In an entry posted to his personal blog, Brown bristled at Microsofts contention that eEye acted irresponsibly when it announced its discovery that the browser crash could be used to plant malicious code on fully patched Windows systems.

He offered a chronology of the events that led to the Aug. 22 decision to delay the patch, arguing that Microsofts own security advisory "tells the bad guys exactly where the vulnerability is."

"So, to recap, Microsoft writes a patch that causes another flaw, then delays releasing the patch (unless you call Microsoft support) and then releases the information needed to identify the vulnerability in their own advisory update," Brown said.

On the official MSRC (Microsoft Security Response Center) blog, program manager Stephen Toulouse described the decision to delay the IE patch as "difficult but necessary."

"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse said. He did not elaborate on this or confirm that the SMS issue was the cause for the delay.

Click here to read about Microsofts previous problems with the quality of its patches.

Toulouse said Microsoft made a decision to withhold the full security implications of the browser crash because that would have been a violation of its position on responsible disclosure and would have put customers at increased risk.

"This was another difficult decision on our part. There was no intent here to misrepresent the issue as not being exploitable. Oftentimes, however, we find ourselves in the position of having to strike a balance between providing information equally to users who would use the information to protect themselves, and attackers who, history has proven, will immediately use the information for criminal purposes," Toulouse said.

However, eEye Chief Hacking Officer Marc Maiffret said Microsofts stance is hard to understand. "This information is already known in research circles and also [to] exploit writers," Maiffret said in an interview with eWEEK.

Indeed, according to security alerts aggregator Secunia, based in Copenhagen, Denmark, at least two research outfits—eEye and Bold Internet Solutions—reported the exploitable condition to Microsoft.

"If we are finding this, we have to assume the bad guys are looking and finding it too," Maiffret said.

Microsofts Toulouse confirmed that the company was working with multiple researchers and said there was a disagreement on when to go public with the information that the bug was much more serious than a browser crash.

On the official IE blog, Microsoft Group Program Manager Tony Chor was scathing in his criticism of eEye, accusing the company of "irresponsibly" disclosing the severity of the flaw.

Neither Chor nor Toulouse could be reached to react to eEyes claim that Microsofts own advisory mentioned "long URLs" as the cause of the crash, in effect pointing potential attackers in a certain direction. In Chors blog entry, he also mentioned that the vulnerability exists through a crash in "urlmon.dll," which is much more information than eEye and others released.

Chor said Microsoft will hold the developer responsible for the new vulnerability introduced by the original IE patch. "Unfortunately, we missed this issue, plain and simple. In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue," Chor said.

He said the company was also "reconsidering" staffing and tools to allow it to scale better during heavy load periods.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Why Did Microsoft Delay IE Patch?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}kw89v2Ei;Rlɱ&屔xh)ئHIVzO/߸U҃H{&ݶ%, UBPwH9s4ô1f%STI]"I~zhC(3`R)_rdxBԲ|WR #Yخtj5O5vGl$J~z'AT{j xL9uΜ]ٜjc7h2 Xm (krZC'Aj(CJ{(Z=  w,8$a}#$F g*N5ol Q)R/F:wkf} 5~yf *;U;arhP;U{aUhw/@^c\ȁ\nh=T L=iTVC;&3ÝtXF?Dc9 NRY RiSӂhY{lɧ9\gԏPL0H<~0[ QM%$7 .nq`=2}h .*!}- :l<$..8acM  @2xZ`:vxtTa_dY33ML&o@֭CU)ZpX*^rww3mù-Ӟݛ89n^wozYj޻^HQPw7@ږkZTa(;W^O.ggaa'H|$Fj}&DeR)I&0h'6tt<_B^ ,9:GFI?jn/Ղz .C=-bv=ӧ0CF_8(Ja>'sK߾ڤ>>=O}~0fPUU~ 32ؕΊgxk_:OZOםVGNW9n83tfAZ|_ko~?c!~j[ dP[w8LwZ/) /m2 OGgcdx,˭~~F {훨-4K9K }1xc%#,_ fk7 Jsi)":sP;H}N(m҄j 9B%ϙy[7>hr Ce)#8?̓IhJq䰉cYSl؅ R捇oBiOM XRU>I"A[fT}O ${3BDȭ`g@ BD4?CzC0&pt/\~_5 .΃awW9Q] K\MޢG <7Nv..~:ozmxX18,]evb`\67je?6Ra ^,+WL F̶-a[e)u5߽?  aM6ulZjx>:ACA4icŦwh4N@'&h`C:}ҍ:L`;Nh>[W jwuΙ/ܑ-ӾZ2߄T 9uC \D r}͚X 4ؐ|&B7Cn^ʚtɕ \=PS U+b*q ( 4zS\O &Δō$)ЊO}=lYWo%,~k%fcP.KúJJ'~7Bɶ/^¢xmP2D֑Rkò=2P< Cx E~҆TSs  XU.*raȔen1jAsXjgܰ&P 7C~0-j(6 /gXSq:hzE>iwh[hr NgG ǏiТ0T]2akRJMIas(zq |X0b=9ߛ8[%5f/.gK I{y]ؕ.RLjFd>j 'L[aHz{>cTfha82-|?x;HycI_)~$[b"ud\6˰@e9ִ&3r,˹& zfd͞0Rܴg&'zQ4*$o秚+F#A̧^ǨalE+ 570M:CLKo=9>8آqW;PV}89G&b)&GJtlʂu! 2h:,n`{]0>AG5h0qH&;3E689 o:+@5-r JI h5[SG3GťR Cn׃3Z`zž.+~֬Ӫ`b/mCc$D! #2z p[kh0-f;[;pL' Ekfh+sJbOW2Eݚiz|ylFITy3is{%[ȓw&J ĴT.[C5^-(93Z]-M:f2/cXhU-'0`L4Ω$6 خiϼV:>e6e'}m\c'o2\$t#\ wlS3ѻMslޥ0͜)6@y`AAW+6Xil=v͵H| f^-Vif?y, JLH-ǯ i3FɁ㚺/k3OS~_&I|SeYȃVV82V6jRaokA~fZX)C='0R WTQ>cO3(~ (zC9+u{~>RXS,.=HuXJP?ITAtEUTn?mVPVW`Zd&s\%\{3i0o(Q󱋗~fDmR/)3nQ/ ~egm S?PG te[,uQCrֹhK^Kփ w"YKrBVë(_!a C{ z H)'4 N%:\bϺ;$VB R`2"(BS.iDO§,>^59Sj6>#EG%'}KiV X x4hWK0fAda+F+9ǭZϤ{GHY 9/g`!IB^2 7{KP -Mu?S4 jGYkNEm펇{6-~=`rr(SJ$M6'in&. [5Kb).RJ<:<Ad:Y$yYIzJ,RTeD$SQSKFI39uޜ-Hy9Ym ybXýMی3%[/ ã ,-Y+4$/i\A1;ͳp",G7Dh CTդ g껰Ϋ؉C6OY`09+R~]ȩ_uwj̣{cy~"ѴGNxL7Ď#^@(NVu2k=7x'_YN.t09]#ΣdtWcT1;>^Y]s6ͥ=O̴E{wmhG(V=w9c99Pn8:ʳ/q1~<,?4fڈbiuEOgi^|韂&Gm_ |1$[Э>u?y{ho&<)sǣAlk59obJwfim =hKx?v/Jowҽ{g;ᧅ}EstRTsd;I6ӱ$BEͫ*ۻʾ\EVd.tѓ w|621@7YU (f~X;pOҠc}dOY.=]f+wQ[]x͞wYiYU.J\-"PnǸZ^|:W%0.ՁC`cDs*aK=04Cx" x ZAB|dC7ƳiG(ҦRzvV 4r< eV-m#wYZ3/+˯;65Dsٖ@ql ggpnƗפ3˦o%-i{ƢRp^lI0nlUDݔ*/8|uI4` 'O@yRҚ_ݯj楰40uH 4~ȵ<=:BxTؔ]/Ȯǎ=2T+JZڈSCfe4Sf DZixir2''8F䋋[[[[_ߊfAX%=5=#ΕXu m _4߼R}MJ(IxwToaVwr&8[6V`vxXo|c;w5T> 0AgZYlȥsqH5_:KjRRY`+XDy1O_p{8`W#X|y~gӖp)%zDB sMЙ$|/G^mrX66H?Ò ԝ;N`X Hīǃ,<Ϟ FDO_ tX76!'<)9z Kigӛ$W\yu_$֙(527 ys; Lǘ]P6^#in*[<H O0o g[^?D B4ꆜ=%|NOLtͥ&W: J ZRZmZ9wu/?l!A0C;DC(ymJ7<ks理wxpppprR-n^4'TR9 hX3 Y%u`aaUapeSnĻ,e ~u{Zdƶo|oZ(GVx1)+u>뉍 `llTO=`l7=oX'hFn11GhokcӚea$~ zgf^.5,iÊb“ths>qD ^?ͱml\t`7P5"77+3WEXm>RJ\̪x 4{@R7_.}H"x߉'r S-9k~*~/u~#06V-NP /*`5-k;hOק>*.b1DKb맟@/j SȐ]7y+{SM8/wgCiSnc޲ѯ"su} xdY+ Z,: ^9u/STC䉯}jHow<7̅=T=v E.On8š+=5t]Th_y#,~Ut GR(j  *>d7  W*Dz'y'hv"J\Ġ۝js3QbbPHB!hMJ? ,q(Dsı:Ñ2.ċVAXz- wDVj9DNE0V!7"vya@`8(ĒAuc{ h#8XҲ񦚵z0lshh,vxQUȥkc.ᵡ RY-OQ/ ]ZX,:~eL<_AFw3 i/ȍ"r\IoA$TC@)rMZj>Al;ٟ3#lzZC JOk&pVi Kj+mLxoW8Ow| 􄼥޼vwO%YՉH[ -;Y9uOx:_EG8acV]Qd#o@`m 4,\ :\πTnA4`]"iR%24VVߡZ,Jvvȟ_Cj< %ȕJ9 9 Փ>/,bGc0/Ř`^.b¼y֜TXC,|]6Fs,kG Ř&|d8|}P.[ozpҸƱ\Km2%>iC$0qև54z^JL7"|͑rOO3;8g( :{baRS[[78GF_ 6f^zWZQ1IG)}o k#b2zވq'q5`GPw;LQYj*!b3wȣ4ϓ }f@#ET&}aA=`Aa~M#[C P/1MF˜s 7$,0A5A"\2 t L`r fi!p͒w\j:rtT {b8+M 5߃3,ȏ]xKlݜ(8ãZ1I(tCK/HzsAL&B2_7=}m?݉2{xbwT IhR tP(9CȮ KDP]{ʠYQ^*uӄ^I+\QY / PIj W{uK=k`fڟh,\yyytH\ۤw|չw}ֽcO֊_l՝nqI}yչ'&)hT/晶L۝%,C rr;j12;ZTmzf/ [+!z_U9iz67ax<P "g>^sФo%uggcFW(Q~Wˏ͌.w3ʑ[@V;ʏח}N2!>A姝\㴳5:r_'\dC;5>2ʿ@g,9^1>y< ><@ g9y^d?gBiFߠoP~Q{1 ?sw1~]7]? /q _fs?=eg_P埀>eg(U}3s::3/9IR< 9k^K(keK"*SV9,.N2S\ȜHW0fY kxkFUys"X5̽p'71W }^f>6? Vt{r*%n ۍ9 xL|uӚܴO]v<2kݫ++#BAfп~%sS$iN^j{4qa C1׃>ZqzPg^U= :!ڳi>Y<+h}s&pN!3J8?1 H-MԳpNzR?ѰsW3@ t5^i{@$~;1-H$ΆR% J\ޑJ0lzGDd= ̈JA._$`rXR/PPफ़h[iRoh yVi8an%[z?"z5~L@M+6"뾂/cZA6of!3^8ռD<gu~o2P e +?o9Xj,.#vR'Q!+\9ƙg9mc5:tp) ߄`-kD҃Yhp䓿 t8H4ǭaƹr4nAz4}z<8־6%x-7:\A|#皛̈ .LESzq;:8(,_bYdA'mS sb(V|3S [2FlX XJr 9;9_\$ǖ]`>so/r:=bՇ=<0 ;V.򡟼bwwwrp1Q6`:}Hif:F`ƨ2&f\ '00>ax>}t~*U1 gGZO,fl_cErd9GUZQ2aCq1;ql>;KsoNg:0D00Y~l+6FՋpaĵHz~ƠC)e hD,D*9"[o %P)@EikA/?tI3ۉd&%}YQ v.ychFʪv\|m% ]* ?PɑX)un'|oS{/)0XPy74<>pZ>m?'6}J5+CNrj;;1鼟˖;7) m+#84B>ܼmQ޺%pm.; +C}e^p멎TgU|J6A1^/'R``mR>ŔK ]'[٧3й?-{/e[z_X (K# LwIN<z>utvKѪ v7"`aNn0n,ـ&@r=Vcm;pSz 9QmQ-নN?X70(|N4u ۊ|Va=rks`CΜ *φŀ{Ⱦ ^f#1ثu!}đYX&7ęV /O CׅѰ0 L;,lyEG%RrNCb 0F c:p2 19,O)xI1%h3l䓈mAb ?jұL}aG?q,M~'[]2*e+׹W6xozc|>[z0XjPtP9ɓZ0 9LMhc{pfi#fSS{3 ;τ ixv4<1TF_E@G7dyUĔfٵ\RKnrmmck )60MÄr"5poq=yeӘJ pK8 g!0X^ZpTT/>%hw2b5_yfϸȅc\YG7^Y{b`!'݋t<}9!3 *`NgvXvQJeVju.>$+e=;`ol3 gs7*Р~oQWԊZMG3HZ\֓BVR۝wߺ"f/On6%c(|NVKI+n^ͦG( wm&l2)v}ml-c6C-;S1e)