[ISN] Viruses exploit Microsoft patch cycle

InfoSec News isn at c4i.org
Thu Nov 11 04:39:42 EST 2004


By Munir Kotadia 
Special to CNET News.com
November 10, 2004

The creators of the latest MyDoom variant, which exploits a recently 
discovered iFrame vulnerability in Internet Explorer, may have timed 
the release of the viruses to throw Microsoft's monthly patch cycle 
into disarray, security experts say. 

In its latest monthly update on Tuesday, Microsoft was not able to fix 
a serious vulnerability in the Internet Explorer browser because the 
flaw was discovered only a few days before the company's regular 
update was due. The two variants of the MyDoom virus were released 
earlier this week, leaving the software giant without any option but 
to ignore the problem--for now. 

Sean Richmond, senior technology consultant at Sophos Australia, told 
ZDNet Australia that it would have been impossible for Microsoft to 
create and test a reliable patch in four days--the time between the 
vulnerability being published and Tuesday's patch update.

"To release a stable patch for IE would be impossible (in that time) 
because they want to test it thoroughly before it goes out," Richmond 
said. "The monthly patch cycle was designed to make it easier for 
system administrators to schedule their updates, but a few days is 
just not enough time for Microsoft create and test a patch."

 Ben English, security team leader at Microsoft Australia, told ZDNet 
Australia that Microsoft advocates a process of responsible disclosure 
and is "very keen" to discover any vulnerabilities before they are 
made public.

"The reasons are very obvious. We would not disclose any info about a 
vulnerability till we have mitigation in place," English said. "The 
worst scenario for us is that we release an update which has quality 
problems. We believe the downstream problems of releasing patches too 
quickly are even more serious than not putting in the quality that 
they deserve."

English would not comment on whether Microsoft thought the timing of 
the worm's and the vulnerability's disclosure was malicious, but he 
said that if the problem were serious enough, the company would break 
its patch cycle to plug the gap.

"In terms of the timing, I have no comment on whether there is 
malicious intent," he said. "But in a sense, it is academic because if 
this is a serious vulnerability and we have a patch available, we will 
release it out of cycle."

The MyDoom virus, also referred to as a worm, has been dubbed Bofra by 
some antivirus firms.

Munir Kotadia of ZDNet Australia reported from Sydney.

More information about the ISN mailing list