Microsoft probably does not mind that its monthly round of security patches for June are causing much less of a ruckus than previous months when the company was caught in the middle of a worm war that targeted its Windows systems and forced the company to play catch-up with vulnerabilities that were giving virus writers an edge.
This month’s set of patches address relatively minor, “moderate” rated vulnerabilities in Crystal Reports Web Viewer and the DirectX application programming interface (API), which is particularly significant to gamers using DirectX 7.0a to 9.0b.
Security experts said that while Microsoft is benefiting from the usual lull in computer viruses and worms that comes with the end of school and the onset of summer breaks, Microsoft has improved its patching process and has shown an ability to respond to security issues more quickly.
“Overall, I think they have made some important strides,” iDefense Labs director Michael Sutton told TechNewsWorld. “I don’t think they’re there yet.”
And even as Microsoft caused less fear than previous patch releases for more dangerous vulnerabilities, the company’s software security was again being called into question on old, already-patched issues, according to security mailing lists.
Business and Game Holes
In its now regular monthly update on the first Tuesday of the month, Microsoft said in a bulletin that its Crystal Reports Web Viewer contact-management software and its DirectX software, used primarily for graphics and gaming, could fall victim to denial of service (DoS) attacks.
Microsoft said customers using Visual Studio .Net 2003 and Outlook 2003 with Business Contact Manager and Internet Information Services installed should apply the latest patch for both products. Microsoft also said users of its Microsoft Business Solutions CRM 1.2 should download and install a patch available on the Business Objects Web site.
The DirectX vulnerability — affecting Windows 98 through XP and Server 2003, including 64-bit versions of the systems — could also allow a DoS attack that would shut down a system using Microsoft DirectPlay.
Sutton said he agreed with the moderate ratings from Microsoft and credited the company for its willingness to upgrade a security rating, which the company did on the advice of iDefense about a monthly patch last winter.
Still, Sutton referred to the difficulty of providing the proper testing for its widely used, multilanguage software, and said Microsoft is pressed by time. Sutton added that the software giant’s time frame that has stretched to six months or more between disclosure and patch is “unacceptable.”
“They really have to shorten that time line,” Sutton said. “The biggest danger there is just because Microsoft and a security researcher knows about it, it doesn’t mean other people don’t know about it.”
Sutton also criticized Microsoft’s organization of advisories, which can contain 10 or more vulnerabilities listed in each one.
“I really think they should be doing an advisory per vulnerability,” he said. However, he praised the software company’s new monthly patching efforts, which began last October, and said the monthly patches are alleviating some of the patching problems that companies were previously experiencing.
“The monthly patch cycle is very important, and they’re a leader there,” Sutton said. “There aren’t a lot of vendors doing that, but the predictability makes it [better]. It really does make a difference. You don’t know what’s being released and you don’t know how severe it is, but you know what day it is.”
Sutton added that he expects other major software vendors will likely follow the model, unofficially at least.
Sweet Summer for Redmond
Ken Dunham, iDefense malicious code intelligence manager, told TechNewsWorld that summer is typically a more tame time for virus and worm activity, “for whatever reason.”
However, Dunham added, “it’s a pretty volatile world out there and there are a lot more people doing malicious things.”
Dunham referred to the success of Microsoft’s bounty for virus writers and international efforts that led to recent arrests in Germany and said they seem to have had an effect.
However, Dunham also referred to the increased awareness and communication among attackers and virus writers and contrasted it to the tricky business of releasing a sufficient security patch.
“These are difficult problems to solve,” Dunham said. “They’re integrated, and sometimes you think you’ve got it fixed and you don’t.”