Feeds

Gates defends Microsoft patch efforts

'We are absolutely doing our best'

  • alert
  • submit to reddit

High performance access to file storage

Sydney Microsoft chairman Bill Gates defended the company's handling of security patches Monday following widespread attacks on the Internet by suspected Russian organized crime gangs.

Last week's attacks used unpatched vulnerabilities in Internet Explorer to deploy a Trojan horse program on the victim's machine, which could capture the user's Internet banking passwords. The SANS Institute's Internet Storm Center reported the attacks were launched through a large number of websites, some of them "quite popular," which had been penetrated and modified to deliver malicious code.

Two of the Internet Explorer vulnerabilities exploited in the attacks were discovered in active use on June 6th, and have not yet been patched by Microsoft, according to an analysis by IT security company Symantec. [Symantec publishes SecurityFocus]. The attacks also used a controversial Internet Explorer feature that permits local HTML documents to create or overwrite files on a user's computer. Though not a bug in and of itself, security researchers warned as early as last August that the feature becomes a serious attack vector when used in conjunction with Internet Explorer holes.

Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time - the average time - to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

Asked by SecurityFocus about the Russian hacks of last week, Gates hinted that the attacks wouldn't have been possible if administrators had installed a security patch Microsoft made available for its IIS Web server product last April.

"The Russian exploit that just came this weekend, that's [MS04-11]," said Gates, referring to the April update. "Believe me, there's been no six month wide open thing that has been there. We pull through Windows update as soon as we see something as being visible and serious."

But the open Internet Explorer holes can be exploited with or without unpatched Web servers, counters security researcher "Http-equiv," who specializes in IE vulnerabilities. "This is... completely irrelevant to the attack and was merely a novel method to extend the reach in a somewhat anonymous fashion," he wrote in an email interview. "It could have just as easily been setup on a regular free hosting service provider with one of many methods to direct the victims there."

Even so, Http-equiv agrees with Gates' claim that Microsoft is getting better at churning out fixes. "I have three confirmations to this effect for three issues I have found over the years, where they were quickly, and silently, patched in record time," the researcher said.

Security researcher Drew Copley, of eEye Digital Security, says Microsoft still has some work to do in its patching process, but there's no reason the company can't achieve good turnaround times "if they got their act together".

"The only reason they can not is because their system is not set up that way," says Copley. "It moves slowly, like a behemoth. They need to change their whole way of fixing security issues," he added.

Despite the claimed 48-hour production capability, the software giant would not commit to a guaranteed patch turnaround time. Gates would only say he is looking to speed up the process. "We can't say that... we'll have it fixed in an exact period of time," he said. "We will guarantee that the average time to fix will continue to come down."

Gates lauded Microsoft's recent handling of its security patching processes. "We have several hundred people who are on 24-hour availability to do this work. It is a phenomenal thing," he said. "If you track how we have improved over this last twenty four months, you'll see that we are absolutely doing our best."

Convincing its customers to turn on automatic security updates is one thing Microsoft has to do to make an impact on its users' security, he added.

Copyright © 2004, SecurityFocus logo

Related stories

CERT recommends anything but IE
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware
MS hatches June patch batch

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.