View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 12, 2007

Microsoft and the patch release conundrum

Microsoft recently released an out-of-schedule security update relating to its Animated Cursor Handling facility. This early release was forced upon the company due to vulnerabilities that were being openly exploited by criminal elements. Indeed, it is unusual for Microsoft to deviate from its normal patch release schedules and, as such, the move has provoked much industry debate and comment.

By CBR Staff Writer

The flaw itself had been known to the company since late December 2006 and was being worked upon within its labs with a view to being part of the scheduled release on April 10, 2007.

Three issues spring to mind considering the rights and wrongs of making this unscheduled release undertaking. One, Microsoft was reacting appropriately to the pressures of the marketplace as an identified vulnerability was being actively exploited. Two, the company was facing a lose-lose situation because, although it believed that the customer impact of this particular flaw was limited, other security vendors had differing views and were highlighting significant exploit numbers. Therefore, to do nothing would have left Microsoft open to the charge of being complacent. Three, unofficial patch options from eEye Digital Security and from a volunteer group called the Zeroday Emergency Response Team (ZERT) were already publicly available, and some would argue that this is a situation that has its own real dangers and should rarely be encouraged.

September 2006 was the last time Microsoft released an out-of-schedule security update patch. At that time, as is the case now, there were two main drivers to get an early release out and available. Firstly, public pressure due to the severe nature of the identified flaw, and secondly, because a whole raft of unauthorized and potentially dangerous third-party patches were being promoted as available for use. Incidentally, it has been reported that, following its initial patch release, eEye found it necessary to repair its own patch as zero-day exploit code from a hacker had been able to bypass the fix.

The trend towards the faster exploitation of identified systems vulnerabilities, often known as zero-day attacks, or at least as exploits that are released before vulnerabilities become publicly known, is part of a security situation that is growing ever more critical. Criminal elements are able to demonstrate their technology skills through their fleet-of-foot abilities to exploit both known and unknown systems vulnerabilities.

It can be reasonably argued that a Windows systems flaw that had been identified to Microsoft back in December of 2006 should have been patched before now, although the technical complexities involved in achieving this particular fix must be taken into account. However, what is clear is that Microsoft, like all other software suppliers, will be aware of vulnerabilities that are not in the public domain. These are often released as part of scheduled patch updates with little additional comment, and the key issue is that such corrections must be completed before they can be exploited and become a public issue.

Despite increased threat awareness, software will continue to be released to the marketplace with vulnerabilities. Today, Microsoft is better than most at ensuring that such vulnerabilities are kept to a minimum. However, as criminal elements become more professional in their use of technology, it is time for the software industry as a whole to step up its protection efforts.

Source: OpinionWire by Butler Group (

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.