Feeds

Gates defends Microsoft patch efforts

'We are absolutely doing our best'

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Sydney Microsoft chairman Bill Gates defended the company's handling of security patches Monday following widespread attacks on the Internet by suspected Russian organized crime gangs.

Last week's attacks used unpatched vulnerabilities in Internet Explorer to deploy a Trojan horse program on the victim's machine, which could capture the user's Internet banking passwords. The SANS Institute's Internet Storm Center reported the attacks were launched through a large number of websites, some of them "quite popular," which had been penetrated and modified to deliver malicious code.

Two of the Internet Explorer vulnerabilities exploited in the attacks were discovered in active use on June 6th, and have not yet been patched by Microsoft, according to an analysis by IT security company Symantec. [Symantec publishes SecurityFocus]. The attacks also used a controversial Internet Explorer feature that permits local HTML documents to create or overwrite files on a user's computer. Though not a bug in and of itself, security researchers warned as early as last August that the feature becomes a serious attack vector when used in conjunction with Internet Explorer holes.

Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time - the average time - to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

Asked by SecurityFocus about the Russian hacks of last week, Gates hinted that the attacks wouldn't have been possible if administrators had installed a security patch Microsoft made available for its IIS Web server product last April.

"The Russian exploit that just came this weekend, that's [MS04-11]," said Gates, referring to the April update. "Believe me, there's been no six month wide open thing that has been there. We pull through Windows update as soon as we see something as being visible and serious."

But the open Internet Explorer holes can be exploited with or without unpatched Web servers, counters security researcher "Http-equiv," who specializes in IE vulnerabilities. "This is... completely irrelevant to the attack and was merely a novel method to extend the reach in a somewhat anonymous fashion," he wrote in an email interview. "It could have just as easily been setup on a regular free hosting service provider with one of many methods to direct the victims there."

Even so, Http-equiv agrees with Gates' claim that Microsoft is getting better at churning out fixes. "I have three confirmations to this effect for three issues I have found over the years, where they were quickly, and silently, patched in record time," the researcher said.

Security researcher Drew Copley, of eEye Digital Security, says Microsoft still has some work to do in its patching process, but there's no reason the company can't achieve good turnaround times "if they got their act together".

"The only reason they can not is because their system is not set up that way," says Copley. "It moves slowly, like a behemoth. They need to change their whole way of fixing security issues," he added.

Despite the claimed 48-hour production capability, the software giant would not commit to a guaranteed patch turnaround time. Gates would only say he is looking to speed up the process. "We can't say that... we'll have it fixed in an exact period of time," he said. "We will guarantee that the average time to fix will continue to come down."

Gates lauded Microsoft's recent handling of its security patching processes. "We have several hundred people who are on 24-hour availability to do this work. It is a phenomenal thing," he said. "If you track how we have improved over this last twenty four months, you'll see that we are absolutely doing our best."

Convincing its customers to turn on automatic security updates is one thing Microsoft has to do to make an impact on its users' security, he added.

Copyright © 2004, SecurityFocus logo

Related stories

CERT recommends anything but IE
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware
MS hatches June patch batch

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.