Comments on: Second third-party fix out for Windows bug

Group of security professionals produces a patch for a flaw in Windows Shell that is being used in cyberattacks.

[ChazzMatt]

banker's hours

Problem is Microsoft wants to work banker's hours on these patches -- oh, once a month and only the ones we feel like working on, we'll get to yours eventually -- while the miscrants work 24/7.

Now, Microsoft is just about the richest software company in the world. Last time I heard they had $55 billion in cash parked in the bank. It's not like they can't afford more programmers!

[richto]

No its their customers that want this...

Microsoft release patches on a monthly schedule to meet the requirements of their enterprise customers. Microsoft also undertakes extensive compatibility and regression testing prior to release. Its not like Linux where some cowboy can mail out a patch in a few hours and hope that it works OK.

If an issue is being publically exploited then Microsoft release a patch faster. Very simple really.

Bear in mind that Microsoft are on average twice as fast at patching known security issues than Linux vendors...

[IonPwr]

What the admins wanted...

In reality, Microsoft's policy was created following the feedback of the IT people in major corporations who wanted a regular cycle of releases so that they will know when to expect things. This way they can test the supplied fix on their environment and then deploy it when they want and not when a users things they should deploy it.

Microsoft issues off-cycle updates as deemed necessary.

[john.breen]

Third-party fixes could cause more problems...

than they solve down the line. Imagine if numerous third-party fixes start making headlines and are used extensively. It wouldn't take long for fake orgs to pop up and start promising fixes when in fact they install spyware, etc.

Consider how many spyware "removal" programs there are out there and how many of them are actually legit. Register windowsrepairtools.com today and let the spamming begin.

Who will the uninformed home user trust? Unfortunately, everyone.

[slim-1]

Re: Third-party fixes could cause more problems...

"Who will the uninformed home user trust? Unfortunately, everyone."

Which is why part of any real solution is to require security training, testing and liscensing before a person can access the internet.

Part of this training should be an introduction to other OS options that are more secure such as Linux, Mac & BSD.

[icicle69]

This isn't a fix...

Did anyone look at the source code of this supposed "third party fix" before writing this article? It simply disables the affected activex controls (using the workaround steps provided in Microsoft's advisory).

I wouldn't consider this a "third party fix" that beat Microsoft to the punch, but mearly a helper utility that sets a few reg keys that Microsoft recommended disabling in the workaround section of the advisory.

Nice job digging up all the facts...

[Hoser McMoose]

The real question here...

"The Windows Shell flaw was found almost two months ago as part of HD Moore's "month of browser bugs." However, sample attack code became available only recently."

If the flaw is almost two months old it really should have been fixed in the LAST patch-Tuesday release. Besides, this sort of bug, as well as the "Zero-Day Wednesday" concept is quickly making Microsoft's idea of only releasing security fixes once a month seem like a rather poor decision. I understand the desire to keep the patches in groups released on a regular basis for the sake of enterprise IT departments, but they already had to backtrack on this once this month for the VML bug.

Perhaps they should move to having the patches available for download as soon as they are finished and tested but only move them to Automatic Updates once a month? Microsoft may also want to move to a bi-weekly patch cycle instead of their once-per-month schedule.

[singhrajender]

Blind with Hatred

I think you seem to be blind with hatred and not able to see the Lindy01's valid point..

[wbenton]

As much as I want to applaud them...

As much as I want to applaud these third party fixers... I just cannot bring myself to do it.

For the simple reason is that they're helping to keep the Windows community alive and Microsoft in business longer.

The sooner Microsoft goes out of business... the more secure the entire world will be!!!

No need in softening/slowing down Microsoft's demise!!!

It's their operating system... let them show the world how incompetent they are. If the community is unsafe due to Microsoft's lackluster patching methodology... then I say change to an operating system which patches better!

Microsoft has the bucks and the staff to fix the problems quicker... thus they don't need hand-outs from good will do'ers.

They might start to expect more of the same in the future and slack off on patching even more... and that's NOT a good trend to say the least.

Walt