Feeds

Gates defends Microsoft patch efforts

'We are absolutely doing our best'

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Sydney Microsoft chairman Bill Gates defended the company's handling of security patches Monday following widespread attacks on the Internet by suspected Russian organized crime gangs.

Last week's attacks used unpatched vulnerabilities in Internet Explorer to deploy a Trojan horse program on the victim's machine, which could capture the user's Internet banking passwords. The SANS Institute's Internet Storm Center reported the attacks were launched through a large number of websites, some of them "quite popular," which had been penetrated and modified to deliver malicious code.

Two of the Internet Explorer vulnerabilities exploited in the attacks were discovered in active use on June 6th, and have not yet been patched by Microsoft, according to an analysis by IT security company Symantec. [Symantec publishes SecurityFocus]. The attacks also used a controversial Internet Explorer feature that permits local HTML documents to create or overwrite files on a user's computer. Though not a bug in and of itself, security researchers warned as early as last August that the feature becomes a serious attack vector when used in conjunction with Internet Explorer holes.

Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time - the average time - to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

Asked by SecurityFocus about the Russian hacks of last week, Gates hinted that the attacks wouldn't have been possible if administrators had installed a security patch Microsoft made available for its IIS Web server product last April.

"The Russian exploit that just came this weekend, that's [MS04-11]," said Gates, referring to the April update. "Believe me, there's been no six month wide open thing that has been there. We pull through Windows update as soon as we see something as being visible and serious."

But the open Internet Explorer holes can be exploited with or without unpatched Web servers, counters security researcher "Http-equiv," who specializes in IE vulnerabilities. "This is... completely irrelevant to the attack and was merely a novel method to extend the reach in a somewhat anonymous fashion," he wrote in an email interview. "It could have just as easily been setup on a regular free hosting service provider with one of many methods to direct the victims there."

Even so, Http-equiv agrees with Gates' claim that Microsoft is getting better at churning out fixes. "I have three confirmations to this effect for three issues I have found over the years, where they were quickly, and silently, patched in record time," the researcher said.

Security researcher Drew Copley, of eEye Digital Security, says Microsoft still has some work to do in its patching process, but there's no reason the company can't achieve good turnaround times "if they got their act together".

"The only reason they can not is because their system is not set up that way," says Copley. "It moves slowly, like a behemoth. They need to change their whole way of fixing security issues," he added.

Despite the claimed 48-hour production capability, the software giant would not commit to a guaranteed patch turnaround time. Gates would only say he is looking to speed up the process. "We can't say that... we'll have it fixed in an exact period of time," he said. "We will guarantee that the average time to fix will continue to come down."

Gates lauded Microsoft's recent handling of its security patching processes. "We have several hundred people who are on 24-hour availability to do this work. It is a phenomenal thing," he said. "If you track how we have improved over this last twenty four months, you'll see that we are absolutely doing our best."

Convincing its customers to turn on automatic security updates is one thing Microsoft has to do to make an impact on its users' security, he added.

Copyright © 2004, SecurityFocus logo

Related stories

CERT recommends anything but IE
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware
MS hatches June patch batch

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.