IE flaw points to limits of monthly patch releases

Computerworld - Zero-day exploits such as those targeting an unpatched vulnerability in Microsoft Corp.’s Internet Explorer Web browser are exposing some of the limitations of the company’s monthly patch release schedule, users and analysts said today.

Even so, it may be better in most cases for enterprises to wait for Microsoft’s official updates rather than implement interim third-party patches, they said.

“There’s going to be no third-party patches for us,” said Dave Jordan, chief information security officer for the Arlington County government in Virginia. “These things have to be really tested before we can put them on our production servers. By the time I finish testing, Microsoft would have released its own patches, so why go through the same exercise twice?"

The sentiment comes amid continuing concern that a vulnerability in IE could soon be exploited by hackers looking to take complete administrative control of vulnerable systems. The flaw, which involves the way IE processes Web pages using the createTextRange() method, is currently being exploited by attackers on more than 200 malicious Web sites.

Microsoft itself has called the attacks "limited in scope” and said it will release a patch addressing the flaw with its scheduled monthly updates on April 11 -- or sooner, if warranted.

However, two security vendors, Redwood City, Calif.-based Determina Inc. and eEye Digital Security Inc. in Aliso Veijo, Calif., have already released interim fixes for the flaw for users unwilling to wait for Microsoft’s official patches (see "Update: Security vendor patches dangerous IE bug").

This is the second time in recent months that security vendors have pushed out patches for zero-day flaws ahead of Microsoft’s official release. In January, a Belgian programmer named Ilfak Guilfanov released a similar interim patch to fix a far more serious Windows Metafile (WMF) flaw.

While such patches can be useful for some companies, it is unlikely that many enterprises, especially larger ones, will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research Inc. in Boston. “They would really rather wait for an official patch” instead of implementing an untested patch from an unknown third party, he said.

Bill Cassada, enterprise network administrator at Healthways Inc., a Nashville-based disease management company, said that he would like to see Microsoft “react quicker” to zero-day threats. But he added that Healthways is unlikely to roll out any interim patches to deal with the current threats, since several work-arounds are available.

Robert Olson, systems administrator with Uline Inc., a Waukegan, Ill.-based distributor of packing and shipping materials, said that Microsoft's monthly patch release cycle provides companies with a "clean way" to push updates to users. He also said he would like to see supplemental updates for exploits involving unpatched vulnerabilities, but stressed that his company has no intention of using a third-party patch for any flaw, no matter how critical.