February 13, 2004 4:00 AM PST
200 days to fix a broken Windows
The six-plus months is the longest the software giant has taken to release a fix since it started its Trustworthy Computing initiative, a companywide mandate to make security a top priority. Taking so long to fix
"If it really took them that long technically to make the fix, then they have other problems. That's not a way to run a software company."
Chief hacking officer
eEye Digital Security
"If it really took them that long technically to make (and test) the fix, then they have other problems," Maiffret said. "That's not a way to run a software company."
On Tuesday, Microsoft released a patch for vulnerabilities in a common networking component of Windows NT, Windows 2000, Windows XP and Windows Server 2003. The security flaws could allow an attacker to compromise a computer running any of those Windows systems or allow a malicious coder to create a worm that would affect a large number of systems connected to the Internet.
eEye notified Microsoft of the issue July 25 and of a second, similar issue on Sept. 25. The software giant didn't release a fix for either problem until this week, 200 days after the first flaw was found.
Microsoft recently released a patch for a security flaw affecting various versions of Windows--more than six months after the company was first notified of the vulnerability.
Some say the software giant was inefficient; others say the complex problem demanded a thorough going-over; still others say less important, but more widely publicized flaws skewed Microsoft's priorities.
For more info:
Track the players
"If our goal was to get everything out in 30 days or 60 days, we could do that," Jones said. "But our goal is to get out a quality patch."
Other security researchers agreed that 200 days, while long, is not necessarily a sign of problems.
"Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter," said Chris Wysopal, vice president of research and development for security firm @Stake, which counts Microsoft as a client. "It is definitely in the multimonth category because of how many versions of the operating system and the big applications that they had to test."
The flaws exist in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and the vulnerabilities could let a remote user take control of a computer running a version of Windows that hasn't been patched, according to the advisory posted on Microsoft's Web site. Exploiting the flaw is much easier if the attacker can access a local network, the advisory noted.
Such widespread vulnerabilities are most tempting for the underground coders who
"If our goal was to
get everything out in 30 days or 60 days, we could do that.
But our goal is to get out a quality patch."
Microsoft's Trustworthy Computing initiative
Stephen Toulouse, senior program manager of Microsoft's Security Response Center, said the fix took so long to create because of the difficulties posed by such a pervasive technology.
"ASN.1 is really an extremely deep...technology in Windows itself," Toulouse said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."
Yet the complexity of the problem isn't necessarily an adequate reason for the delay.
Another ASN.1 flaw that affected many more companies and involved more research was made public in only five months. Although the decision to disclose information on the flaw was made after such information had already leaked out, many companies had fixes in place or quickly made them available.
That flaw made network devices using version 1 of the Simple Network Management Protocol (SNMP)--a data language that allows network hardware to communicate over the Internet--vulnerable to attacks aimed at causing instability, crashes or compromises.
Such criticism may focus the company on flaws that should have a lower priority, said Thor Larholm, senior security researcher for security software maker PivX Solutions.
"Microsoft still does treat some of the security vulnerabilities as public relations issues," Larholm said. "They will put a priority on fixing flaws that their customers are complaining about."
The phishing flaw was patched in about 60 days, and the fix was released a week early.
For eEye, the difference in results is marked and has resulted in the company using new ways to get Microsoft to focus on its flaws. The company has turned up the heat on the creator of Windows by posting a list of vulnerabilities that eEye has submitted to Microsoft but that remain unfixed.
According to the list, two other serious flaws have yet to be patched, and it's been five months since the
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
For now, eEye's Maiffret is content to wait for the results of the new tactic. "It is just one sort of action to take," he said. "We have more things planned if they don't keep up."