Word Flaw Doesn't Need Fast Fix, Microsoft Says

Computerworld - Microsoft Corp. last week advised users to run Word in "safe mode" to help guard against a Trojan horse program that seeks to exploit an unpatched vulnerability in the word processing software. The company said it will issue a patch as part of its monthly security update on June 13, or earlier if necessary. Bret Arsenault, Microsoft's chief security adviser and general manager of U.S. enterprise security, spoke with Computerworld about why the software vendor currently doesn't see the need to release an out-of-cycle fix for the flaw.

How do you plan to address the security flaw in Word? The plan right now is to release a patch on June 13 as part of the regular [monthly] update. We are monitoring the number of infections and what the impacts to customers are. We recognize the seriousness of the issue. We're going through our regression testing, which is, of course, to make sure that we have the right fix and it is of the right quality. The worst thing to do is to install something out of band and then have to redo it again a second or third time.

This isn't the first time an exploit has become available for an unpatched vulnerability in your software. Is it causing you to review your patch release cycle? We always have to balance the timeliness of the patch with what the current threat is to the customer. If the threat level becomes severe enough, we will release something out of [the monthly cycle]. But we try to limit our out-of-band [patches], because what our customers have asked us to do is to be predictable.

In this scenario, we are not happy with the[disclosure] process [the flaw] went through. We have an outreach program for vulnerability finders. We work hard to do responsible vulnerability disclosure, and by somebody not reporting this to the vendor, it is customers who are paying the price.

What do you think of the role third parties have played in releasing interim patches for these types of flaws? Is that putting pressure on Microsoft to release its fixes more quickly? I don't think there is any more pressure than protecting our customers. I don't really have a comment on what others do as far as providing patches is concerned. The important thing is for customers to evaluate if the patches have been tested for all the platforms they run and if it is of the same quality they want it to be.

What you are seeing is the time to exploit has been shrinking [over] the last few years. We recognize that; the industry recognizes that. And patching is not the answer. The answer is defense in depth. In this case, if your antivirus signature is up to date, it will catch this [flaw] at the client.

So is a monthly patch release still good enough? We're always evaluating what the right cycle is. So far, the customer feedback has been to stay on this one-month cycle and to monitor how many of these out-of-bands we actually have to do. The last one was in January, and the previous one, I think, was 22 months before that. So if you look at it in the overall context, it has been a pretty limited number.