Feeds

Gates defends Microsoft patch efforts

'We are absolutely doing our best'

  • alert
  • submit to reddit

Security for virtualized datacentres

Sydney Microsoft chairman Bill Gates defended the company's handling of security patches Monday following widespread attacks on the Internet by suspected Russian organized crime gangs.

Last week's attacks used unpatched vulnerabilities in Internet Explorer to deploy a Trojan horse program on the victim's machine, which could capture the user's Internet banking passwords. The SANS Institute's Internet Storm Center reported the attacks were launched through a large number of websites, some of them "quite popular," which had been penetrated and modified to deliver malicious code.

Two of the Internet Explorer vulnerabilities exploited in the attacks were discovered in active use on June 6th, and have not yet been patched by Microsoft, according to an analysis by IT security company Symantec. [Symantec publishes SecurityFocus]. The attacks also used a controversial Internet Explorer feature that permits local HTML documents to create or overwrite files on a user's computer. Though not a bug in and of itself, security researchers warned as early as last August that the feature becomes a serious attack vector when used in conjunction with Internet Explorer holes.

Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time - the average time - to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

Asked by SecurityFocus about the Russian hacks of last week, Gates hinted that the attacks wouldn't have been possible if administrators had installed a security patch Microsoft made available for its IIS Web server product last April.

"The Russian exploit that just came this weekend, that's [MS04-11]," said Gates, referring to the April update. "Believe me, there's been no six month wide open thing that has been there. We pull through Windows update as soon as we see something as being visible and serious."

But the open Internet Explorer holes can be exploited with or without unpatched Web servers, counters security researcher "Http-equiv," who specializes in IE vulnerabilities. "This is... completely irrelevant to the attack and was merely a novel method to extend the reach in a somewhat anonymous fashion," he wrote in an email interview. "It could have just as easily been setup on a regular free hosting service provider with one of many methods to direct the victims there."

Even so, Http-equiv agrees with Gates' claim that Microsoft is getting better at churning out fixes. "I have three confirmations to this effect for three issues I have found over the years, where they were quickly, and silently, patched in record time," the researcher said.

Security researcher Drew Copley, of eEye Digital Security, says Microsoft still has some work to do in its patching process, but there's no reason the company can't achieve good turnaround times "if they got their act together".

"The only reason they can not is because their system is not set up that way," says Copley. "It moves slowly, like a behemoth. They need to change their whole way of fixing security issues," he added.

Despite the claimed 48-hour production capability, the software giant would not commit to a guaranteed patch turnaround time. Gates would only say he is looking to speed up the process. "We can't say that... we'll have it fixed in an exact period of time," he said. "We will guarantee that the average time to fix will continue to come down."

Gates lauded Microsoft's recent handling of its security patching processes. "We have several hundred people who are on 24-hour availability to do this work. It is a phenomenal thing," he said. "If you track how we have improved over this last twenty four months, you'll see that we are absolutely doing our best."

Convincing its customers to turn on automatic security updates is one thing Microsoft has to do to make an impact on its users' security, he added.

Copyright © 2004, SecurityFocus logo

Related stories

CERT recommends anything but IE
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware
MS hatches June patch batch

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.