Microsoft is again pledging to improve the security of its software by starting to notify customers of upcoming patches. However, the promise came just as experts warned that attack code exploiting a known flaw in Internet Explorer has begun to circulate.
The US-CERT and Secunia said the newly discovered code attacks an as-yet unpatched flaw in Internet Explorer that could enable remote access and control of a targeted PC. The flaw in how IE handles certain tags in HTML coding could enable such documents to contain code that would give an attacker the ability to control a PC remotely.
Secunia said the attack will not work on Windows XP machines that have Service Pack 2 in place, but it labeled the problem “extremely critical” after spotting exploit code on Web mailing lists.
The warning came just as Microsoft announced at a European tech conference that it would begin making its Security Bulletin Advanced Notification program available to the public. That system currently informs large customers and other key contacts of what patches Microsoft is working on.
Starting this month, Microsoft will publish a summary of planned security bulletins and software patches three days before the actual downloads are made available. The idea is to help customers of all sizes plan ahead for patch application and reduce surprises, the company said.
“Customers worldwide, both at home and at work, have told us that they need help minimizing the risk of malicious threats,” said Rich Kaplan, corporate vice president of the Security Business & Technology Unit at Microsoft. “Although we’ve seen progress in addressing some of our customers’ top concerns, we remain focused on the evolving security challenges and are committed to working with our industry partners worldwide to improve the security of PCs and networks.”
Timing Is Everything
The timing of the two events underscores the work that lies ahead for Microsoft in the security space, analyst Rob Enderle of the Enderle Group said.
“It must get frustrating for them to move what seems like one step forward and one step back,” he said. “The good news is that they are taking steps that will help improve security in the long run. The bad news is it’s going to be a long haul to get to that point where they can tout their software’s security without looking over their shoulder.”
More than a year after Microsoft launched its Secure Computing initiative, new bugs in its software continue to be revealed, though experts say the numbers reflect the dominance of the company’s software as much as any other factor.
Making better security happen sooner is clearly in Microsoft’s best business interests, Enderle added, pointing to the minor but consistent erosion of market share in the browser space. There, consumers have moved in growing numbers to alternatives directly because of security concerns.
Sophos antivirus consultant Graham Cluley said the latest code is further proof that the time between exploit discovery and eventual attacks is shrinking rapidly.
“We’ve seen the time it takes go from a couple months to a couple weeks,” he said. “It will probably be a matter of days before long.”
Cluley said companies still must apply patches as soon as they become available, despite the lag in their availability. “Patching regularly is still one of the best things anyone can do to improve their security,” he said.