HomeBlogsMacRonin's blog

Microsoft defends 100-day ANI patch process

April 4, 2007 - 9:32am — MacRonin

Microsoft defends 100-day ANI patch process: "Microsoft Corp. took more than 100 days to develop and release a patch for the Windows animated cursor flaw it first learned about in December 2006. The company is now looking into why it didn't spot the flaw two years ago.

[...]

Microsoft Corp. first learned of the animated cursor flaw in Windows in December 2006, more than 100 days before it released an emergency patch. The release marked just the third time in more than two years it has released an out-of-cycle security update.

The head of the company's security research lab defended the time spent investigating, developing and testing the fix. "Engineering a patch is a long complex process," said Mark Miller, director of the Microsoft Security Response Center (MSRC). "We look at surrounding areas of code for similar vulnerabilities, and from our internal investigation, address as many as we can find."

Microsoft was alerted to the ANI file bug Dec. 20 by Alexander Sotirov, a vulnerability researcher at Determina Inc. of Redwood City, Calif. By mid-March, when Microsoft skipped its usual second-Tuesday-of-the-month updates, the investigation had been completed and a patch created, said Miller. "But it was still undergoing testing," he said, explaining why the patch wasn't released then.

On March 28, McAfee Inc. notified the MSRC that it had spotted attacks exploiting the cursor flaw. Within five days, as attackers ramped up use of the exploit to include hundreds of malicious Web sites, Microsoft promised to release a patch a week ahead of its designated monthly release date, April 10.

Miller, as have other Microsoft security officials, said that the patch could be released early because it was already on the April schedule. "We had an opportunity and by pulling in the window by a week, it was very doable."

He rejected the idea that Microsoft rushed to release the fix only when exploits appeared and publicity mounted.

"The number of people working on it doesn't change [when exploits are active], but the 24/7, around-the-globe effort does," said Miller. "When McAfee notified us, we ramped up our SSIRP [software security incident response process] to track the attacks and see what level of activity there was."

Sotirov, who found the flaw while auditing other code in the same User32.dll that contained the ANI bug, refused to criticize Microsoft for the time it needed to create a fix. "If you look at the average time it takes them, this vulnerability is not an exception," he said. "In fact, it's pretty standard."

(Via Computerworld Security News.)


Bookmark/Search this post with: