The Redmond, Wash., software giant markets SMS as a business tool for simplifying patch management, but because of a bug in the way the SMS architecture handles certain compressed files, the company temporarily cancelled the patch release originally scheduled for Aug. 22.
Microsoft delays software updates typically because of quality assurance concerns, but this is the first time the company has made it known that a kink in its distribution mechanism is the cause for the temporary cancellation of an important patch.
The decision is not sitting well with Internet security experts.
eEye Digital Security, the private research outfit that blew the lid on the exploitable nature of the vulnerability after Microsoft described it as a simple browser crash, says a flaw in SMS is no reason to leave customers at risk of code execution attacks.
"[Microsoft is] delaying a security patch, not because there is a problem with their patch, but a problem with their proprietary distribution engine," said eEye Chief Executive Ross Brown, in Aliso Viejo, Calif. "Auto Update works and a million other patching vendors should be able to handle it, but because SMS is flawed, they are leaving customers unsecured?"
In an entry posted to his personal blog, Brown bristled at Microsofts contention that eEye acted irresponsibly when it announced its discovery that the browser crash could be used to plant malicious code on fully patched Windows systems.
He offered a chronology of the events that led to the Aug. 22 decision to delay the patch, arguing that Microsofts own security advisory "tells the bad guys exactly where the vulnerability is."
"So, to recap, Microsoft writes a patch that causes another flaw, then delays releasing the patch (unless you call Microsoft support) and then releases the information needed to identify the vulnerability in their own advisory update," Brown said.
On the official MSRC (Microsoft Security Response Center) blog, program manager Stephen Toulouse described the decision to delay the IE patch as "difficult but necessary."
"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse said. He did not elaborate on this or confirm that the SMS issue was the cause for the delay.
Toulouse said Microsoft made a decision to withhold the full security implications of the browser crash because that would have been a violation of its position on responsible disclosure and would have put customers at increased risk.
"This was another difficult decision on our part. There was no intent here to misrepresent the issue as not being exploitable. Oftentimes, however, we find ourselves in the position of having to strike a balance between providing information equally to users who would use the information to protect themselves, and attackers who, history has proven, will immediately use the information for criminal purposes," Toulouse said.
However, eEye Chief Hacking Officer Marc Maiffret said Microsofts stance is hard to understand. "This information is already known in research circles and also [to] exploit writers," Maiffret said in an interview with eWEEK.
Indeed, according to security alerts aggregator Secunia, based in Copenhagen, Denmark, at least two research outfits—eEye and Bold Internet Solutions—reported the exploitable condition to Microsoft.
"If we are finding this, we have to assume the bad guys are looking and finding it too," Maiffret said.
Microsofts Toulouse confirmed that the company was working with multiple researchers and said there was a disagreement on when to go public with the information that the bug was much more serious than a browser crash.
On the official IE blog, Microsoft Group Program Manager Tony Chor was scathing in his criticism of eEye, accusing the company of "irresponsibly" disclosing the severity of the flaw.
Neither Chor nor Toulouse could be reached to react to eEyes claim that Microsofts own advisory mentioned "long URLs" as the cause of the crash, in effect pointing potential attackers in a certain direction. In Chors blog entry, he also mentioned that the vulnerability exists through a crash in "urlmon.dll," which is much more information than eEye and others released.
Chor said Microsoft will hold the developer responsible for the new vulnerability introduced by the original IE patch. "Unfortunately, we missed this issue, plain and simple. In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue," Chor said.
He said the company was also "reconsidering" staffing and tools to allow it to scale better during heavy load periods.