Microsoft Defends Effort to Patch Flaw

IT execs, researchers split over pace of work on ANI fix

Microsoft Corp. first learned of an animated cursor flaw in Windows on Dec. 20 — more than 100 days before it released an emergency patch last week to block active attempts to exploit the vulnerability.

The head of the software vendor’s security research laboratory defended the time it took to investigate the flaw and then develop and test the fix. Some IT managers are giving Microsoft the benefit of the doubt. But that feeling isn’t universal.

Hugh McArthur, director of information systems security at Online Resources Corp. in Chantilly, Va., said that in general, Microsoft’s 100-day turnaround time for patching the so-called ANI vulnerability doesn’t seem all that unusual.

It wasn’t as if the software vendor was “just sitting back and doing nothing,” McArthur said. “My take is that Microsoft was hoping they could get the fix written and tested prior to an exploit being written. In this case, they didn’t make it.”

“I don’t know if 100 days is good or not,” said David Jordan, chief information security officer for the Arlington County government in Virginia. Jordan said that he “would like to have higher expectations” for Microsoft, since it’s the largest software vendor in the world.

But, he added, he isn’t sure that’s a reasonable expectation because there is little credible data available on the average amount of time that it takes vendors to develop patches.

Less charitable toward Microsoft was Oliver Friedrichs, director of Symantec Corp.’s security response team.

“Anytime you’re patching, there are many different factors that come into play,” he said. “But 100 days in today’s climate is unacceptable. It’s really not quick enough.”

Developing patches is “all about prioritization,” said Amol Sarwate, manager of the vulnerability lab at Redwood Shores, Calif.-based security software vendor Qualys Inc. “But in this case, they obviously didn’t think that this was a big enough issue until it was actually being exploited.”

Mark Miller, director of the Microsoft Security Response Center, rejected the notion that the software vendor rushed to release the ANI fix only when exploits appeared and publicity mounted.

“Engineering a patch is a long, complex process,” Miller said. He noted that by mid-March, when Microsoft skipped its usual monthly software update release, the company had completed an investigation of the ANI flaw and created a patch. “But it was still undergoing testing,” Miller said, adding that Microsoft planned to include the patch in its April updates.

Attacks Spotted

On March 28, though, McAfee Inc. notified Microsoft that it had spotted attacks exploiting the cursor flaw. Last Monday, as attackers ramped up the exploit attempts to include hundreds of malicious Web sites, Microsoft promised to issue a patch a week ahead of the other April fixes, which will be released tomorrow.

Alexander Sotirov, a vulnerability researcher at Determina Inc. in Redwood City, Calif., who found the flaw, refused to criticize Microsoft for the time it needed to create a fix.

“If you look at the average time it takes them, this vulnerability is not an exception,” Sotirov said. “In fact, it’s pretty standard.”

But the fact that the ANI vulnerability was discovered by Sotirov, not by a Microsoft employee, raises questions about why the software vendor didn’t spot the flaw earlier. Several security analysts and researchers have noted similarities between the ANI flaw and an earlier one involving animated cursors that Microsoft patched in January 2005.

“We’re doing an analysis of why we didn’t find it then,” said Miller, who added that Microsoft devotes some of the patch development process to looking for similar vulnerabilities in the affected code.

“This reinforces the idea that vulnerability research is more of an art and less of a science,” Friedrichs said. “Microsoft’s people could have looked at this code and seen nothing, but all it takes is someone who sees things a bit differently.”

Nonetheless, he said that he views the inability of the software vendor to find the ANI flaw two years ago as “somewhat of a failure on Microsoft’s part.”

Despite all the hoopla, the vulnerability “ultimately wasn’t a big issue” for Online Resources, McArthur said. But he added that the online bill-processing company treated the threat “very seriously” and made sure that its antivirus software was up to date and that its monitoring tools were configured to detect any exploit attempts on its systems.

Jordan said that having to install the out-of-cycle patch — just the third released by Microsoft in more than two years — was “an inconvenience” for Arlington County’s IT staff. But, he said, the flaw didn’t pose any immediate threats to the county’s systems.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon