[ISN] Viruses exploit Microsoft patch cycle
isn at c4i.org
Thu Nov 11 04:39:42 EST 2004
By Munir Kotadia
Special to CNET News.com
November 10, 2004
The creators of the latest MyDoom variant, which exploits a recently
discovered iFrame vulnerability in Internet Explorer, may have timed
the release of the viruses to throw Microsoft's monthly patch cycle
into disarray, security experts say.
In its latest monthly update on Tuesday, Microsoft was not able to fix
a serious vulnerability in the Internet Explorer browser because the
flaw was discovered only a few days before the company's regular
update was due. The two variants of the MyDoom virus were released
earlier this week, leaving the software giant without any option but
to ignore the problem--for now.
Sean Richmond, senior technology consultant at Sophos Australia, told
ZDNet Australia that it would have been impossible for Microsoft to
create and test a reliable patch in four days--the time between the
vulnerability being published and Tuesday's patch update.
"To release a stable patch for IE would be impossible (in that time)
because they want to test it thoroughly before it goes out," Richmond
said. "The monthly patch cycle was designed to make it easier for
system administrators to schedule their updates, but a few days is
just not enough time for Microsoft create and test a patch."
Ben English, security team leader at Microsoft Australia, told ZDNet
Australia that Microsoft advocates a process of responsible disclosure
and is "very keen" to discover any vulnerabilities before they are
"The reasons are very obvious. We would not disclose any info about a
vulnerability till we have mitigation in place," English said. "The
worst scenario for us is that we release an update which has quality
problems. We believe the downstream problems of releasing patches too
quickly are even more serious than not putting in the quality that
English would not comment on whether Microsoft thought the timing of
the worm's and the vulnerability's disclosure was malicious, but he
said that if the problem were serious enough, the company would break
its patch cycle to plug the gap.
"In terms of the timing, I have no comment on whether there is
malicious intent," he said. "But in a sense, it is academic because if
this is a serious vulnerability and we have a patch available, we will
release it out of cycle."
The MyDoom virus, also referred to as a worm, has been dubbed Bofra by
some antivirus firms.
Munir Kotadia of ZDNet Australia reported from Sydney.
More information about the ISN