[ISN] Experts unconcerned over Microsoft patch delay

InfoSec News isn at c4i.org
Tue Sep 13 02:41:36 EDT 2005


Tom Espiner
September 12, 2005

The decision to delay to the latest Windows patch has been praised by
the security industry

Security experts are largely unconcerned about the delay to
Microsoft's latest critical security patch, as they believe hackers
will struggle to exploit the vulnerabilities that the patch was meant
to fix.

The patch was due to be released on Tuesday, but was pulled on Friday
after Microsoft "encountered a quality issue that necessitated the
update to go through additional testing and development before it is
released", according to the company Web site.

Mikko Hyppönen, director of antivirus research at Finnish security
company F-Secure, said as the bug existed in Microsoft software before
the company announced a fix, there is no difference to the security
risk facing Windows users today.

"There are not suddenly going to be hundreds of underground hackers
just concentrating on finding this one security flaw, I think,"  
Hyppönen said.

Hyppönen was glad that Microsoft had decided to not release a patch
with bugs. "I prefer it this way," he said. "It would generate more
problems if Microsoft released a buggy patch. Most exploits exploit an
existing patch."

If a buggy patch that many users chose not to install were released,
hackers could examine that patch to find the flaws in the original
software, Hyppönen said, whereas "at the moment it's like shooting in
the dark" for the hackers.

Graham Cluley, senior technology consultant at security company
Sophos, agreed. "At the moment there's not much information on the
vulnerability. It's better that Microsoft not roll out [the update]
than roll it out flawed. Obviously we're keen to get the update, and
[the announcement that no update would be available] was a bit up
against the wire, but it's better that Microsoft stopped the release,"  
he said.

"As long as no information leaks out from Microsoft, we don't think
there's much risk to users. As far as we know there are no exploits
out there for the current flaw," Cluley said.

"Obviously this will cause some embarrassment to Microsoft — they've
said to us there will be an update, then turned around and said
'Whoops, not just yet', but we don't think there's much risk to
users," he said.

As to when the patch would be released, Cluley said "Microsoft may
decide to release the patch in a month, but hopefully they'll release
it as soon as it's ready."

Hyppönen concurred. "They [Microsoft] might simply release it next
month," he said.

All the experts questioned declined to speculate as to which part of
Windows was addressed by the update. "There are so many potential
holes I couldn't possibly guess which one it's for," joked Alex Shipp,
chief antivirus developer for MessageLabs.

More information about the ISN mailing list