Some Security Experts Criticize Microsoft For Patch Process

A critical vulnerability first found in July wasn't fixed until more than seven months later, and some say that's too much time.
Microsoft is taking hits from security experts and other analysts over the long lag time between knowing about a major Windows vulnerability and releasing a patch to fix the problem.

The vulnerability in question is one of two noted as critical by Microsoft on Tuesday, when it released February's monthly fixes. Hackers could exploit flaws in Windows's usage of Abstract Syntax Notation, a language for defining the syntax of data messages shared between applications and computers. If attackers successfully created exploits, they could clandestinely destroy data, steal information, or compromise network security.

The bug has been characterized as one of the most serious ever due to its widespread use in many of the Windows operating system's security subsystems, including Kerberos and NTLM authentication, and in numerous server and desktop programs, such as Exchange and Internet Explorer.

The ASN vulnerability was first identified on July 25, 2003, by eEye Digital Security--but not fixed until more than seven months later.

"Microsoft had 200 days to fix this," Mark Maiffret, chief hacking officer co-founder of eEye Digital Security, and the discoverer of the ANS vulnerability, said during a teleconference. "That's a ridiculous amount of time."

Maiffret kept quiet about the vulnerability while Microsoft worked on and tested a patch. Currently, there are no exploits circulating or pending.

In its defense, Microsoft said it needed the time to assemble--and, more important, to test--the fix. "This investigation required us to evaluate several aspects and instances of this pervasive functionality in order for our engineers to create a comprehensive and high quality fix," a company spokesperson said. "This was an instance in which due diligence required us to very carefully evaluate the broadest possible implications of the anomaly."

But that's no excuse, another analyst says.

"I recognize that Microsoft has thrown an incredible amount of money and resources at security issues," said Laura DiDio, a senior analyst at the Yankee Group who has been tracking security for more than 17 years. "The company is under siege, no question. They're the No. 1 target, like a policeman in Baghdad. Where I fault them--even if you give them the benefit of the doubt--is that you can't take seven months to patch a problem of this magnitude."

The ASN vulnerability is especially insidious, DiDio and other security gurus said, because it affects so many systems and can be potentially exploited through a variety of applications. Microsoft made a mistake, she said, in taking so much time to patch a problem that could have put critical national infrastructures at risk.

"When you have something this deep in the operating system, you're putting things like utilities, water supplies, and transportation networks at risk," she said. "That's too big a risk, what with the state of the world today. What if the FAA or one of the major utilities had been hit by this in the last few months?"

DiDio called Microsoft's delay in putting out a patch "a mistake in judgment," and although she recognizes the complexity of the problem and the need to thoroughly test, she urged Microsoft to look for outside help if it can't handle the job on its own. "Microsoft has tremendous resources, but if they're having problems unraveling a fix, they should hire a firm like eEye, or a combination of firms, to work with them to get [a patch] out faster."

DiDio was adamant about the need to move faster. "Microsoft was lucky that the person who found this has been cooperating" by keeping quiet, she said. "If another security firm had found this vulnerability and publicized it, who knows what would have happened?"

Michael Cherry, a lead analyst with Directions on Microsoft, seconded DiDio's applause of eEye's silence--but was more willing to give Microsoft a break. "Maiffret is super professional in that not only does he find these [vulnerabilities], but he does the right thing in not getting frustrated with the delay and publishing prior to a patch being released," he said. "I'm a little bothered by the length [of time before Microsoft patched], but I have to go with my gut feel that this needed an incredible amount of testing to find all the things that may have been impacted. I'm giving Microsoft the benefit of the doubt on this one."

Although Microsoft may have dodged a bullet by not being faced with an exploit while it created and tested its patch, it's inconceivable, said Maiffret, that an exploit for the vulnerability won't appear at some point.

"It's just a matter of time before someone reverse-engineers the patch and figures out which protocols use ASN and where to insert the actual ASN data to create an exploit," he said. Figure on a few weeks, he added--about the same amount of time it took hackers to exploit last summer's Windows RPC vulnerabilities--before an exploit beings making the rounds.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing