Patch/Configuration Management, Vulnerability Management

Experts say Microsoft should consider change in patching process

Several security experts criticized Microsoft this week for not releasing a fix earlier for the Windows ANI flaw, calling for the company to reassess the way it handles critical patches.

Among those voicing concern was Nand Mulchandani of Determina, which initially discovered the flaw last year and disclosed it to Microsoft in December.

"The question is, is the public better served by holding these critical vulnerabilities until a super Tuesday or issue them out of band?" he said. "The thing we are encouraging Microsoft to do is when Microsoft gets hold of a critical vulnerability, they need to somehow figure out a way of moving ahead in a way that fast-tracks the critical vulnerabilities and then potentially deemphasizes the ones they can do every super Tuesday."

Microsoft typically follows a triage process when it is informed of critical vulnerabilities.

"This issue followed the same process that we use for all vulnerability reports. Based on the severity of the initial report, we began driving for release right after we were able to verify the vulnerability reproduced," Mike Reavy wrote on the Microsoft Security Response Team blog on Tuesday. "The level of priority that we assign to a vulnerability is based on the severity of the vulnerability and the risk to customers. The level of urgency and our willingness to "shortcut" steps in the process, such as quality testing, to release on a faster timeline is based on the actual risk to customers at that time."

In the case of ANI, the discovery of exploits snowballed over four days after McAfee Avert Labs initially reported an exploit in the wild last week and Microsoft released a security bulletin on Thursday.

Most experts say Microsoft made the right call in releasing the fix as quickly as possible.

"I do think it is necessary for them to jump on these sorts of things to protect their customers. Any time there is something that is on the web and it is related to users’ browser activities, it definitely needs to be addressed as soon as possible," says Steve Fossen, manager of anti-virus research at Fortinet. "Any time it’s a web-based thing, especially with graphics, it can blow up very quickly because it doesn’t take very much interaction from a user other than browsing a site. We’ve had ones with GIFs, JPEGs, WMF files and now ANI, and they all have the potential to take off like a rocket if they aren’t kept under control."

Mulchandani contended the patch should have been released much earlier, considering the patch still came out before Patch Tuesday.

"The thing that is especially galling about the whole situation is that obviously they have been sitting on these fixes for a while and the net result for the consumer and the enterprise is pretty much the same. They’re still going to have to do an out-of-cycle patch," he said. "But of course they’re going to have to do it under duress and with a lot of the craziness and cost associated with having to drop everything, do this patch, and of course, seven days later, they’re going to end up having to do it again."

While Max Caceres of Core Security said he understands Microsoft’s urge to control the quality of its patches, he said the swift response with an out-of-band patch once so many exploits were found shows the company can respond quickly to security events.

"It seems like when there is an external catalyst, they move a lot faster, so its logical to question them," said Caceres, a product manager for Core. "You have the capacity to do that, so why don’t you do that more often?"

Mulchandani echoed Caceres’ sentiments.

"The fact that they were able to get a patch out in four days or less shows that they can act very quickly if needed," he said. "My attitude about this is that all of these vendors, when they get a critical vulnerability through the door that they acknowledge, they should act as if there are ongoing attacks with this vulnerability. A non-critical vulnerability, OK, you can let it slide a little bit."

Caceres also stressed that just because a vendor discloses responsibly, and Microsoft keeps the vulnerability under wraps under its own timetable, doesn’t mean there aren’t hackers who have figured it out and go on to exploit the problem for monetary gain.

In Microsoft’s defense, however, fixes such as ANI involve a lot of work to ensure that they don’t cause more problems.

"For this issue in particular, the update modifies functionality that is pervasive and core to the operating system, both in graphics rendering, as well as kernel mode operations. So extensive testing was performed, and that process involved hundreds of folks in multiple teams worldwide to ensure as complete coverage as possible," Reavy said. "At one point, our testing had uncovered over 80 potential issues with the update that were investigated and resolved."

Because he understands the pickle Microsoft is in with testing, Caceres wondered whether Microsoft should leave the decision up to its customers. He said that when the company first develops a patch for a critical vulnerability, it should release the patch and the details of the vulnerability to the customers with the caveat that it is a rough patch. Then customers can decide whether to install the patch immediately or wait until the fully tested patch is released based on their own environmental concerns.

"They rightly refer to the fact that you can’t just issue a patch, because there might be a lot of things that break, and then they will be held accountable for that, too. There’s no way for them to win," he said. "But I think the right thing to do is to make the customer make the decision."

Click here to email West Coast Bureau Chief Ericka Chickowski.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.