When Microsoft released five security bulletins – three of which were deemed critical – as part of this week’s Patch Tuesday, the company inadvertently started another debate about when – or if – the computing giant should divert from its scheduled fix release dates.
Before Tuesday's regular release, Microsoft had distributed a patch ahead of schedule in January after the Windows metafile (WMF) vulnerability was discovered in the closing days of 2004.
Some experts had urged Redmond to stage a similar early release for the well-publicized createTextRange() flaw in IE that was discovered last month and patched on Tuesday.
Microsoft released a cumulative patch for IE and four other patches on Tuesday.
In late March, Stephen Toulouse, head of the Microsoft Security Response Center, said that Microsoft researchers were working night and day on a patch for the widespread flaw.
However, some security professionals said a monthly patch schedule leaves far too much time for malicious users to plot attacks.
"This is just another example of Microsoft sticking it to the little guy and not protecting their customers," said Chris Smith, vice president of marketing for Alert Logic. "Microsoft has proven yet again that the security of a company's network should not be left in their hands as they are slow to react to such vulnerabilities."
Graham Cluley, senior technology consultant for Sophos, said companies were anxiously awaiting the latest IE patch.
"Businesses have been chomping at the bit to patch against this latest vulnerability in Microsoft's code, as there were many instances of hackers attempting to exploit the flaw in the wild," he said. "A security hole that allows hackers with malicious intentions to run unauthorized code on Windows computers is very serious, and all affected users should ensure they have put the right defenses in place."
Oliver Friedrichs, director of Symantec Security Response, said "the average time between the release of a security patch and the development of an exploit is six days."
"In this case, three of (Tuesday's) security vulnerabilities were already being actively exploited by attackers even prior to the issuance of these patches," he said.