Microsoft has broken its monthly cycle of security updates to plug a fewholes in its Internet Explorer browser, including the Download.Jectscripting weakness that caused a widespread, Web-based attack scarein June.
The Download.Ject vulnerability and similar browser weaknesses prompted many security experts to recommend the use of alternative browsers, at least temporarily.
According to critics, the recent patch, which also addresses GIF and bitmap file processing weaknesses, took Microsoft too long.
Other security experts point out, however, that it takes a significant amount of testing to patch Explorer, which is tightly integrated with the Windows operating system. “It takes time to wade through it all,” according to Ken Dunham, the director of malicious code intelligence for the computer security firm iDefense.
Microsoft, which rated the Explorer update “critical,” said the patch resolvesseveral recently discovered vulnerabilities.
The company said that if a user was logged on with administrative privileges,an attacker who successfully exploited the most severe of thevulnerabilities could take complete control of an affected system andinstall programs, create new accounts with full privileges, as well as view, change and delete data.
Microsoft also said it had to correct the update, initially releasedlast Friday, because the version for customers using the new WindowsUpdate 5 did not contain the final release code for the vulnerabilities.The company recommended that customers apply the update immediately.
Since last October Microsoft has followed a schedule in which it releases security updates on the second Tuesday of every month. The company, however, has been forced to break the cycle for critical fixes, particularly with Explorer.
While the company has been praised for providing a regular routine forsystem administrators, the constant pressure on Explorer has forced out-of-cycle patches, which nonetheless have been criticized as tooslow.
IDefense’s Dunham said system administrators have little choice but to patchsystems as soon as possible.
“When [patches] come, you’re glad to have them because you need them toprotect your system,” Dunham said.
Richard Stiennon, vice president of the technology research firm Gartner, has been critical of Microsoft’s speed on patches. He claims that much of the problem lies in Explorer’s close integration with Windows, which allows Internet-based intrusions such as the Download.Ject problem.
“Explorer has way too many hooks, and it’s way too closely tied to theoperating system,” Stiennon said.
The barrage of vulnerabilities, attacks and infections has caused somesecurity organizations, including the federal government’s Computer Emergency Readiness Team (CERT), to recommend the use of alternative browsers, which some surveys suggest have grown more popular in recent months.
CERT spokesperson Kelly Kimberland told TechNewsWorld that the grouprecommends security steps but does not recommend use of any particularsoftware. In recent security notes, however, the group advised use of analternate Web browser to avoid Explorer’s vulnerabilities.
While it may be unreasonable for a large organization to switchbrowsers for security reasons, the cost could be viewed as an addedexpense of security, according to iDefense’s Dunham.
He said security experts are hoping that the coming month is not as busy as August 2003, the worst virus month in history.
“We’re in watch mode,” Dunham said. “[T]he end of summer [is] generally when we see attacks ramp up for fall.”