Some Patching Up Is in Order
Its been a long time since the security community had a full-fledged Microsoft patch controversy to sink its collective teeth into, but the new year was just a couple of days old when the first opportunity presented itself in the form of the Windows Metafile vulnerability.
The flaw, which allows attackers to take control of remote systems, affects essentially every version of Windows that might possibly be running on a machine somewhere. Within days of the vulnerability becoming public at the end of last month, there were thousands of individual sites distributing exploit code for the hole.
Its the kind of vulnerability that typically would merit a critical rating from Microsoft, which would translate into a long night and lots of downtime for enterprise IT shops as they scramble to patch thousands of systems.
The only problem is that Microsoft initially didnt think it was a big deal. Or, at least not a big-enough deal to break out of its monthly patch cycle and issue an emergency fix. Company officials were busy telling anyone who would listen in the last couple of weeks that, yes, the WMF flaw was a concern, and they would be happy to release a patch for it on Jan. 10, the next regularly scheduled patch day.
But, in the meantime, security researchers, anti-virus companies and security vendors began releasing their own fixes for the WMF problem, something that is not altogether unheard of.
What is unusual, however, is that IT managers and security administrators were so concerned with this flaw that some of them were actually installing patches written by people they had never heard of.
This is not the optimum way to run an IT shop in a major enterprise. But thats hardly the fault of the IT staffs; theyre just doing their best to protect their networks in the absence of any help from Microsoft.
Lets get one thing out of the way upfront: No one in the industry is doing a better job handling the whole vulnerability/patching cycle than Microsoft. In fact, no other vendor is even a close second.
The Microsoft Security Response Center is the class of the industry and should be used as a model by other vendors (Sun, Oracle, Im looking your way) for how to set up a comprehensive process for working with researchers, developing and testing a patch, and then disseminating it in the most efficient way possible.
Let us not forget that it was only a few short years ago that Microsoft patches would arrive out of the blue with no warning, sometimes five or six at a time. This model forced administrators to drop everything and start testing and deploying patches as soon as they could.
Now, Microsoft not only releases fixes on a regular monthly basis, but it also notifies customers ahead of the release date how many patches are coming and how important they are.
Butand this is a very big butMicrosoft seems to have become too locked in to its monthly release cycle. The companys insistence on sticking to its schedule at all costs puts customers at risk and, even worse for Microsoft, makes those same customers think that the company has reverted to its old habit of patching when it was good and ready.
In the case of the WMF flaw, Microsoft eventually released the patch five days before the monthly patch day, but only after what company officials termed "intense" pressure from customers.
Roughly translated, that likely means there were a lot of calls emanating from the 212 and 202 area codes coming into Redmond, with large financial and government customers wondering why their security teams were scrambling to implement workarounds they found on newsgroups or patches from Ukrainian hackers when theyre paying Microsoft wheelbarrows full of money every year for legitimate updates.
The WMF episode is much more likely to be the exception rather than the rule going forward, but if Microsoft wants to continue to claim the moral high ground in the security debate, it cant have these kinds of slip-ups.
News Editor Dennis Fisher can be reached at email@example.com.
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.