The flaw itself had been known to the company since late December 2006 and was being worked upon within its labs with a view to being part of the scheduled release on April 10, 2007.
Three issues spring to mind considering the rights and wrongs of making this unscheduled release undertaking. One, Microsoft was reacting appropriately to the pressures of the marketplace as an identified vulnerability was being actively exploited. Two, the company was facing a lose-lose situation because, although it believed that the customer impact of this particular flaw was limited, other security vendors had differing views and were highlighting significant exploit numbers. Therefore, to do nothing would have left Microsoft open to the charge of being complacent. Three, unofficial patch options from eEye Digital Security and from a volunteer group called the Zeroday Emergency Response Team (ZERT) were already publicly available, and some would argue that this is a situation that has its own real dangers and should rarely be encouraged.
September 2006 was the last time Microsoft released an out-of-schedule security update patch. At that time, as is the case now, there were two main drivers to get an early release out and available. Firstly, public pressure due to the severe nature of the identified flaw, and secondly, because a whole raft of unauthorized and potentially dangerous third-party patches were being promoted as available for use. Incidentally, it has been reported that, following its initial patch release, eEye found it necessary to repair its own patch as zero-day exploit code from a hacker had been able to bypass the fix.
The trend towards the faster exploitation of identified systems vulnerabilities, often known as zero-day attacks, or at least as exploits that are released before vulnerabilities become publicly known, is part of a security situation that is growing ever more critical. Criminal elements are able to demonstrate their technology skills through their fleet-of-foot abilities to exploit both known and unknown systems vulnerabilities.
It can be reasonably argued that a Windows systems flaw that had been identified to Microsoft back in December of 2006 should have been patched before now, although the technical complexities involved in achieving this particular fix must be taken into account. However, what is clear is that Microsoft, like all other software suppliers, will be aware of vulnerabilities that are not in the public domain. These are often released as part of scheduled patch updates with little additional comment, and the key issue is that such corrections must be completed before they can be exploited and become a public issue.
Despite increased threat awareness, software will continue to be released to the marketplace with vulnerabilities. Today, Microsoft is better than most at ensuring that such vulnerabilities are kept to a minimum. However, as criminal elements become more professional in their use of technology, it is time for the software industry as a whole to step up its protection efforts.
Source: OpinionWire by Butler Group (www.butlergroup.com)
Content from our partners
