Security Watch

Keeping Track of patches and hacks in the IT security world.

Did MS' Malware Protection Engine Stall?

How embarrassing is this: a fix for a bug in Microsoft's Malware Protection Engine, used by security products including Windows Defender, OneCare and Antigen in malware scanning, tucked into the 20-patch February security bulletin.

Yes, they shipped a fix for the heart of Vista's much-touted, much-more-secure Vista.

Easy target, particularly since Microsoft actually quietly patched the malware engine bug in January, mere days before Vista shipped.

As InfoWorld's Robert McMillan blogged, such a delay could be seen as purposefully engineered to protect the splashy debut. Why blab about a major security flaw just days before Vista launched?

Let's not read too much into it. After talking to Microsoft, it sounds like a simple lack of communication synchronization. I chatted with Stephen Toulouse, senior product manager of Trustworthy Computing, and here's what he had to say about it:

"The problem was a lack of synchronization between delivery of the patch and documentation of it," he told me. "We committed to documenting vulnerabilities in the form of security bulletins. "We're trying to ensure communication is always synchronized and will meet customers' needs for transparency," he continued. "We see the need and want to make sure we meet that need." In fact, the MSRC blog had already publicly acknowledged the vulnerability, even before Vista shipped. Given that, the notion that Microsoft withheld details of the bug doesn't hold water.

"That's a funny take on it," Toulouse said. "I'm not sure the Vista team was even aware of the bug. Mainly, that engine is updated and is picked up by all those technologies. I find it odd somebody would jump to that conclusion, because we're very upfront that we found a vulnerability in Vista."

As far as having a bug in the malware engine and what that says about Vista security overall, even McAfee and Symantec wouldn't throw eggs at their new security product rival.

"It's no big deal," said Dave Marcus, security research and communications manager at McAfee. "Anybody who writes code will have a flaw. Microsoft releases patches for flaws in operating systems and applications every month. It's just like a flaw in any other piece of software. Welcome to the security world for software. It's no more earth-shattering than a buffer overflow or problem in IE."

Indeed, as Marcus put it, there but for the grace of God goes any malware engine. It might look like egg in Microsoft's face, but that just means the company has joined the ranks of plenty of security vendors who regularly find themselves wiping their own faces clean.

No biggie.