Microsoft is finding themselves under increasing pressure to release fixes for critical vulnerabilities. This week, Microsoft broke from tradition again and opted to release and early fix for a critical Internet Explorer vulnerability. Since we’ve seen other critical vulnerabilities come up before this one, some of which were being exploited in the wild, why the change of policy? One factor that might be influencing this decision is the sudden availability of third-party patches. Back in March, eEye released an unofficial patch for the MSIE createTextRange() flaw which drew criticism and contempt from Microsoft. Windows/IE users were under no pressure to use the patch, but it gave some an alternative to disabling Active Scripting entirely.
This time around, we’re seeing multiple third parties come up with alternative patches that may help some companies while they wait for Microsoft to officially fix a vulnerability. This week the Internet Explorer setSlice vulnerability is being exploited in the wild with more than two weeks before Microsoft possibly releases a patch for it. With this reoccuring trend of critical vulnerabilities going unpatched for “too long”, a group of security professionals has created a new response team called ZERT to help consumers. Determina has also released a patch for the setSlice vulnerability, giving consumers even more choices in helping to mitigate the threat while waiting for Microsoft to patch.
With more and more third party patches available, will it pressure Microsoft to step up and break the monthly patch cycle more often? Will they realize that making patches available for critical vulnerabilities being exploited in the wild, even if not fully tested, is a better option than consumers finding themselves under the control of computer criminals and botnets? After all, we know that Microsoft is perfectly capable of producing fast patches when they think it is a serious issue.
Microsoft has established a public database to allow Internet Explorer users to report bugs in the Web browser.
To post or view bugs, users must sign up for a Passport account on the Microsoft Connect Web site.
Microsoft plans to allow non-registered users to view reported bugs in a couple of months, according to a post on the Internet Explorer Weblog.
Microsoft is only accepting bug posts for Internet Explorer 7 and future versions.
The last line is curious. I understand a vendor’s motive for not supporting a product it considers old, and not updating it. I even understand a vendor saying “from here on out, no updates, including security updates”. However, MSIE6 will be heavily used for years to come, and will remain a large part of personal and corporate user installations. MSIE6 consists of a lot of code and represents a decade of work from Microsoft. Pointing out bugs in security or functionality should be of interest to them, even if they plan to completely ditch version 6. Such bugs would help them learn more about how the code is used and abused, and help them from making the same mistakes in future releases.