After IE attacks, Microsoft eyes security betas

With hackers actively exploiting an unpatched bug in Internet Explorer (IE), and some users unhappy that a fix for the problem may still be two weeks away, Microsoft says it is looking at ways of providing more rapid security updates.

Hackers began circulating code that exploited this newest IE vulnerability late last week, and to date it has been used on several hundred maliciously encoded Web sites, according to security vendor Websense.

With Microsoft on track to patch the problem on April 11, some in the security community are saying that the software giant is too slow to respond to serious threats.

Microsoft's practice of holding security fixes until the second Tuesday of each month, called "Patch Tuesday" by administrators, can sometimes hurt home users because they may not have the benefit of the "layers and layers" of protection that are typical in corporate environments, said Todd Towles, [cq] a security consultant based in Austin, Texas.

"In the past, I wouldn't have a problem with the Microsoft delay, but this is happening too much," he said. "Microsoft waits for Patch Tuesday to make corporate patch management teams happy, but this is only hurting the millions of home users that live at a higher security risk."

Microsoft is looking at ways to provide a speedier update, although at present it has no plan to release beta versions of its security updates, said Stephen Toulouse, [cq] a security program manager with Microsoft's security response center. "There are some huge challenges to that," he said.

First and foremost is the issue of quality control. Microsoft must ensure that its updates work on a wide range of platforms, many of which have been changed for use in different parts of the world. "We can't leave anybody behind," Toulouse said. "And unfortunately you might be introducing new problems. So whenever we look at even a quick hack ... it's got to be of quality. That's what customers have told us time and again."

"That's not to say that we're not examining some ways that we could ... have an accelerated or maybe a less tested update, but we haven't made any determinations on that," he added.

The idea of releasing unsupported software is not exactly new to Microsoft. The company has been releasing beta versions of its products to early testers for years now, and in recent months it has moved to be more transparent and more agile in the way it releases code that will be in upcoming products.

Still, a beta process that works for commercial software may not be well suited for security updates.

If Microsoft were to release an early patch of an unknown security vulnerability, for example, it could be tipping off hackers to a new type of attack.

"There might be privately reported issues that end up being in that update that haven't been disclosed yet," Toulouse said. "When we put out the bulletin, we talk about the information in the vulnerabilities ... with a beta, how does that work exactly? Do you put out a kind-of-a-bulletin?"

Whatever changes Microsoft may be considering, its slow response to critical bugs is creating a void that others have been filling over the past few months.

On Monday, security vendors eEye Digital Security and Determina posted patches that fixed the latest IE bug. And two months ago software developer Ilfak Guilfanov [cq] released a widely adopted patch that fixed a similarly critical IE bug.

Users who want to be sure to avoid this latest vulnerability can either turn off the browser's Active Scripting capability or install one of the unsupported patches. The latter option is not recommended by Microsoft, which says it cannot recommend third-party patches that "modify the way the product itself operates" because they might not be compatible with other applications.

Towles believes Microsoft should go ahead and release early security updates. "Microsoft stays on the side and lets vendors push out test patches, letting them take the blame for anything that might break," he said. "They let us use SQL [Server] beta, why not provide a beta IE patch?"

The eEye patch can be found here: http://www.eeye.com/html/research/alerts/AL20060324.html

The Determina patch is here: http://www.determina.com/security_center/security_advisories/securityadvisory_march272006_1.asp

Microsoft's comments on these patches are here: http://blogs.technet.com/msrc/archive/2006/03/28/423409.aspx

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Essentials

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?