resource center
  See your link here
|
Computerworld - Bret Arsenault, Microsoft Corp.'s chief security advisor and general manager of U.S. enterprise security, talked today with Computerworld aboout why Microsoft doesn't plan to release an out-of-cycle fix for an unpatched vulnerability in Word for which an exploit is already available (see "Microsoft promises patch for Word flaw by June"). Excerpts from the interview follow:
What are Microsoft's plans to address the flaw? The plan right now is to release a patch on June 13 as part of the regular update. We are monitoring the number of infections and what the impacts to the customers are. At this point, we recognize the seriousness of the issue. We are going through our regression testing which is, of course, to make sure that we have the right fix and it is of the right quality. The worst thing to do is to install something out of band and then having to redo it again the second or third time. So we balance that with what the current threat level is.
I believe if you look at what the virus vendors' current reading of the issue is, it is low to moderate because of the current infection rate.
This is not the first time that an exploit has become available for an unpatched Microsoft vulnerability. Is it causing you to review your patch-release cycle? We don't want to release an inferior-quality product. We always have to balance the timeliness of the patch with what the current threat is to the customer base. I don't think we want to change that balance. If the threat level becomes severe enough, we will release something out of that. But we try to limit our out-of-band [releases] because what our customers have asked us to do is to be predictable.
In this particular scenario, you should know we are not happy with the process this went through. We have an outreach program for vulnerability finders. We work very hard to do responsible vulnerability disclosure, and by somebody not reporting this to the vendor, it is the customers who are paying the price.
What do you think of the role that third parties have played in releasing interim patches for these sort of flaws? Is that putting pressure on Microsoft to release fixes quicker? I don't think there is any more pressure than protecting our customers. I don't really have a comment on what others do as far as providing patches is concerned. They can do what they want to. The important thing is for customers to evaluate if the patches have been tested for all the platforms they run and if it is of the same quality they want it to be.
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Best Practices for Log Monitoring
Watch Now!
US Military Command Prevents Zero Day Attack with Application Whitelisting
Download this Whitepaper Today!
Data in Action: Making the Planet Smarter
Register Now
Employee Web Use and Misuse
Download this new White Paper today!
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Get More from Your IT Budget
Download this new white paper today!
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
